diff --git a/api/src/com/cloud/api/BaseCmd.java b/api/src/com/cloud/api/BaseCmd.java index c84c484ed80..64142756f0a 100755 --- a/api/src/com/cloud/api/BaseCmd.java +++ b/api/src/com/cloud/api/BaseCmd.java @@ -576,7 +576,7 @@ public abstract class BaseCmd { return this.fullUrlParams; } - public Long getAccountId(String accountName, String projectName, Long domainId) { + public Long getAccountId(String accountName, Long domainId, Long projectId) { if (accountName != null) { if (domainId == null) { throw new InvalidParameterValueException("Account must be specified with domainId parameter"); @@ -589,18 +589,16 @@ public abstract class BaseCmd { } } - if (projectName != null) { - if (domainId == null) { - throw new InvalidParameterValueException("Project must be specified with domainId parameter"); - } - Project project = _projectService.findByNameAndDomainId(projectName, domainId); + if (projectId != null) { + + Project project = _projectService.getProject(projectId); if (project != null) { return project.getProjectAccountId(); } else { - throw new InvalidParameterValueException("Unable to find project by name " + project + " in domain id=" + domainId); + throw new InvalidParameterValueException("Unable to find project by id " + projectId); } } - return null; + return UserContext.current().getCaller().getId(); } } diff --git a/api/src/com/cloud/api/commands/DeployVMCmd.java b/api/src/com/cloud/api/commands/DeployVMCmd.java index fa00dc065ef..035ba5d8e54 100644 --- a/api/src/com/cloud/api/commands/DeployVMCmd.java +++ b/api/src/com/cloud/api/commands/DeployVMCmd.java @@ -124,6 +124,9 @@ public class DeployVMCmd extends BaseAsyncCreateCmd { @Parameter(name=ApiConstants.KEYBOARD, type=CommandType.STRING, description="an optional keyboard device type for the virtual machine. valid value can be one of de,de-ch,es,fi,fr,fr-be,fr-ch,is,it,jp,nl-be,no,pt,uk,us") private String keyboard; + @Parameter(name=ApiConstants.PROJECT_ID, type=CommandType.LONG, description="Deploy vm for the project") + private Long projectId; + ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// @@ -271,19 +274,7 @@ public class DeployVMCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { - Account account = UserContext.current().getCaller(); - if ((account == null) || isAdmin(account.getType())) { - if ((domainId != null) && (accountName != null)) { - Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); - if (userAccount != null) { - return userAccount.getId(); - } else { - throw new InvalidParameterValueException("Unable to find account by name " + getAccountName() + " in domain " + getDomainId()); - } - } - } - - return account.getId(); + return getAccountId(accountName, domainId, projectId); } @Override @@ -346,10 +337,7 @@ public class DeployVMCmd extends BaseAsyncCreateCmd { public void create() throws ResourceAllocationException{ try { //Verify that all objects exist before passing them to the service - Account owner = _accountService.getActiveAccountByName(getAccountName(), getDomainId()); - if (owner == null) { - throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId); - } + Account owner = _accountService.getActiveAccountById(getEntityOwnerId()); DataCenter zone = _configService.getZone(zoneId); if (zone == null) { diff --git a/api/src/com/cloud/api/commands/ListResourceLimitsCmd.java b/api/src/com/cloud/api/commands/ListResourceLimitsCmd.java index 77ad368767c..83da5b2764e 100644 --- a/api/src/com/cloud/api/commands/ListResourceLimitsCmd.java +++ b/api/src/com/cloud/api/commands/ListResourceLimitsCmd.java @@ -44,8 +44,8 @@ public class ListResourceLimitsCmd extends BaseListCmd { @Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="Lists resource limits by account. Must be used with the domainId parameter.") private String accountName; - @Parameter(name=ApiConstants.PROJECT, type=CommandType.STRING, description="Lists resource limits by project. Must be used with the domainId parameter.") - private String projectName; + @Parameter(name=ApiConstants.PROJECT_ID, type=CommandType.LONG, description="Lists resource limits by project") + private Long projectId; @Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="Lists resource limits by domain ID. If used with the account parameter, lists resource limits for a specified account in a specified domain.") private Long domainId; @@ -91,7 +91,7 @@ public class ListResourceLimitsCmd extends BaseListCmd { @Override public void execute(){ - List result = _resourceLimitService.searchForLimits(id, getAccountId(accountName, projectName, domainId), domainId, resourceType, this.getStartIndex(), this.getPageSizeVal()); + List result = _resourceLimitService.searchForLimits(id, getAccountId(accountName, domainId, projectId), domainId, resourceType, this.getStartIndex(), this.getPageSizeVal()); ListResponse response = new ListResponse(); List limitResponses = new ArrayList(); for (ResourceLimit limit : result) { diff --git a/api/src/com/cloud/api/commands/ListVMsCmd.java b/api/src/com/cloud/api/commands/ListVMsCmd.java index 41788af902d..485fdd9f9ae 100755 --- a/api/src/com/cloud/api/commands/ListVMsCmd.java +++ b/api/src/com/cloud/api/commands/ListVMsCmd.java @@ -25,6 +25,7 @@ import com.cloud.api.ApiConstants; import com.cloud.api.BaseListCmd; import com.cloud.api.Implementation; import com.cloud.api.Parameter; +import com.cloud.api.BaseCmd.CommandType; import com.cloud.api.response.ListResponse; import com.cloud.api.response.UserVmResponse; import com.cloud.async.AsyncJob; @@ -81,6 +82,9 @@ public class ListVMsCmd extends BaseListCmd { @Parameter(name=ApiConstants.STORAGE_ID, type=CommandType.LONG, description="the storage ID where vm's volumes belong to") private Long storageId; + + @Parameter(name=ApiConstants.PROJECT_ID, type=CommandType.LONG, description="list vms by project") + private Long projectId; ///////////////////////////////////////////////////// /////////////////// Accessors /////////////////////// @@ -146,6 +150,10 @@ public class ListVMsCmd extends BaseListCmd { return storageId; } + public Long getProjectId() { + return projectId; + } + ///////////////////////////////////////////////////// /////////////// API Implementation/////////////////// ///////////////////////////////////////////////////// diff --git a/api/src/com/cloud/api/commands/UpdateResourceLimitCmd.java b/api/src/com/cloud/api/commands/UpdateResourceLimitCmd.java index bd29e69d327..f2918235248 100644 --- a/api/src/com/cloud/api/commands/UpdateResourceLimitCmd.java +++ b/api/src/com/cloud/api/commands/UpdateResourceLimitCmd.java @@ -46,8 +46,8 @@ public class UpdateResourceLimitCmd extends BaseCmd { @Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="Update resource limits for all accounts in specified domain. If used with the account parameter, updates resource limits for a specified account in specified domain.") private Long domainId; - @Parameter(name=ApiConstants.PROJECT, type=CommandType.STRING, description="Update resource limits for project") - private String projectName; + @Parameter(name=ApiConstants.PROJECT_ID, type=CommandType.LONG, description="Update resource limits for project") + private Long projectId; @Parameter(name=ApiConstants.MAX, type=CommandType.LONG, description=" Maximum resource limit.") private Long max; @@ -86,17 +86,12 @@ public class UpdateResourceLimitCmd extends BaseCmd { @Override public long getEntityOwnerId() { - Long accountId = getAccountId(accountName, projectName, domainId); - if (accountId != null) { - return accountId; - } - - return Account.ACCOUNT_ID_SYSTEM; + return getAccountId(accountName, domainId, projectId); } @Override public void execute(){ - ResourceLimit result = _resourceLimitService.updateResourceLimit(getAccountId(accountName, projectName, domainId), getDomainId(), resourceType, max); + ResourceLimit result = _resourceLimitService.updateResourceLimit(getEntityOwnerId(), getDomainId(), resourceType, max); if (result != null || (result == null && max != null && max.longValue() == -1L)){ ResourceLimitResponse response = _responseGenerator.createResourceLimitResponse(result); response.setResponseName(getCommandName()); diff --git a/api/src/com/cloud/api/response/ControlledEntityResponse.java b/api/src/com/cloud/api/response/ControlledEntityResponse.java index 8bd899fa03e..4b7917b2544 100644 --- a/api/src/com/cloud/api/response/ControlledEntityResponse.java +++ b/api/src/com/cloud/api/response/ControlledEntityResponse.java @@ -4,6 +4,8 @@ public interface ControlledEntityResponse { public void setAccountName(String accountName); + public void setProjectId(Long projectId); + public void setProjectName(String projectName); public void setDomainId(Long domainId); diff --git a/api/src/com/cloud/api/response/ResourceLimitResponse.java b/api/src/com/cloud/api/response/ResourceLimitResponse.java index 538221a7e56..da3671df6fd 100644 --- a/api/src/com/cloud/api/response/ResourceLimitResponse.java +++ b/api/src/com/cloud/api/response/ResourceLimitResponse.java @@ -38,9 +38,12 @@ public class ResourceLimitResponse extends BaseResponse implements ControlledEnt @SerializedName("max") @Param(description="the maximum number of the resource. A -1 means the resource currently has no limit.") private Long max; + @SerializedName(ApiConstants.PROJECT_ID) @Param(description="the project id of the resource limit") + private Long projectId; + @SerializedName(ApiConstants.PROJECT) @Param(description="the project name of the resource limit") private String projectName; - + @Override public void setAccountName(String accountName) { this.accountName = accountName; @@ -68,4 +71,9 @@ public class ResourceLimitResponse extends BaseResponse implements ControlledEnt public void setMax(Long max) { this.max = max; } + + @Override + public void setProjectId(Long projectId) { + this.projectId = projectId; + } } diff --git a/api/src/com/cloud/api/response/UserVmResponse.java b/api/src/com/cloud/api/response/UserVmResponse.java index 347b3732f4b..c5ad1c2113d 100755 --- a/api/src/com/cloud/api/response/UserVmResponse.java +++ b/api/src/com/cloud/api/response/UserVmResponse.java @@ -24,7 +24,8 @@ import com.cloud.api.ApiConstants; import com.cloud.serializer.Param; import com.google.gson.annotations.SerializedName; -public class UserVmResponse extends BaseResponse { +@SuppressWarnings("unused") +public class UserVmResponse extends BaseResponse implements ControlledEntityResponse { @SerializedName(ApiConstants.ID) @Param(description="the ID of the virtual machine") private Long id; @@ -39,6 +40,12 @@ public class UserVmResponse extends BaseResponse { @SerializedName(ApiConstants.ACCOUNT) @Param(description="the account associated with the virtual machine") private String accountName; + + @SerializedName(ApiConstants.PROJECT_ID) @Param(description="the project id of the vm") + private Long projectId; + + @SerializedName(ApiConstants.PROJECT) @Param(description="the project name of the vm") + private String projectName; @SerializedName(ApiConstants.DOMAIN_ID) @Param(description="the ID of the domain in which the virtual machine exists") private Long domainId; @@ -148,335 +155,182 @@ public class UserVmResponse extends BaseResponse { @SerializedName("hypervisor") @Param(description="the hypervisor on which the template runs") private String hypervisor; - public String getHypervisor() { - return hypervisor; - } public void setHypervisor(String hypervisor) { this.hypervisor = hypervisor; } - - public Long getObjectId() { - return getId(); - } - public Long getId() { - return id; - } - public void setId(Long id) { this.id = id; } - public String getName() { - return name; + public Long getId() { + return id; } public void setName(String name) { this.name = name; } - public String getDisplayName() { - return displayName; - } - public void setDisplayName(String displayName) { this.displayName = displayName; } - public String getIpAddress() { - return ipAddress; - } - public void setIpAddress(String ipAddress) { this.ipAddress = ipAddress; } - public String getAccountName() { - return accountName; - } - public void setAccountName(String accountName) { this.accountName = accountName; } - public Long getDomainId() { - return domainId; - } - public void setDomainId(Long domainId) { this.domainId = domainId; } - public String getDomainName() { - return domainName; - } - public void setDomainName(String domainName) { this.domainName = domainName; } - public Date getCreated() { - return created; - } - public void setCreated(Date created) { this.created = created; } - public String getState() { - return state; - } - public void setState(String state) { this.state = state; } - public Boolean getHaEnable() { - return haEnable; - } - public void setHaEnable(Boolean haEnable) { this.haEnable = haEnable; } - public Long getGroupId() { - return groupId; - } - public void setGroupId(Long groupId) { this.groupId = groupId; } - public String getGroup() { - return group; - } - public void setGroup(String group) { this.group = group; } - public Long getZoneId() { - return zoneId; - } - public void setZoneId(Long zoneId) { this.zoneId = zoneId; } - public String getZoneName() { - return zoneName; - } - public void setZoneName(String zoneName) { this.zoneName = zoneName; } - public Long getHostId() { - return hostId; - } - public void setHostId(Long hostId) { this.hostId = hostId; } - public String getHostName() { - return hostName; - } - public void setHostName(String hostName) { this.hostName = hostName; } - public Long getTemplateId() { - return templateId; - } - public void setTemplateId(Long templateId) { this.templateId = templateId; } - public String getTemplateName() { - return templateName; - } - public void setTemplateName(String templateName) { this.templateName = templateName; } - public String getTemplateDisplayText() { - return templateDisplayText; - } - public void setTemplateDisplayText(String templateDisplayText) { this.templateDisplayText = templateDisplayText; } - public Boolean getPasswordEnabled() { - return passwordEnabled; - } - public void setPasswordEnabled(Boolean passwordEnabled) { this.passwordEnabled = passwordEnabled; } - public Long getIsoId() { - return isoId; - } - public void setIsoId(Long isoId) { this.isoId = isoId; } - public String getIsoName() { - return isoName; - } - public void setIsoName(String isoName) { this.isoName = isoName; } - public String getIsoDisplayText() { - return isoDisplayText; - } - public void setIsoDisplayText(String isoDisplayText) { this.isoDisplayText = isoDisplayText; } - public Long getServiceOfferingId() { - return serviceOfferingId; - } - public void setServiceOfferingId(Long serviceOfferingId) { this.serviceOfferingId = serviceOfferingId; } - public String getServiceOfferingName() { - return serviceOfferingName; - } - public void setServiceOfferingName(String serviceOfferingName) { this.serviceOfferingName = serviceOfferingName; } - public Integer getCpuNumber() { - return cpuNumber; - } - public void setCpuNumber(Integer cpuNumber) { this.cpuNumber = cpuNumber; } - public Integer getCpuSpeed() { - return cpuSpeed; - } - public void setCpuSpeed(Integer cpuSpeed) { this.cpuSpeed = cpuSpeed; } - public Integer getMemory() { - return memory; - } - public void setMemory(Integer memory) { this.memory = memory; } - public String getCpuUsed() { - return cpuUsed; - } - public void setCpuUsed(String cpuUsed) { this.cpuUsed = cpuUsed; } - public Long getNetworkKbsRead() { - return networkKbsRead; - } - public void setNetworkKbsRead(Long networkKbsRead) { this.networkKbsRead = networkKbsRead; } - public Long getNetworkKbsWrite() { - return networkKbsWrite; - } - public void setNetworkKbsWrite(Long networkKbsWrite) { this.networkKbsWrite = networkKbsWrite; } - public Long getGuestOsId() { - return guestOsId; - } - public void setGuestOsId(Long guestOsId) { this.guestOsId = guestOsId; } - public Long getRootDeviceId() { - return rootDeviceId; - } - public void setRootDeviceId(Long rootDeviceId) { this.rootDeviceId = rootDeviceId; } - public String getRootDeviceType() { - return rootDeviceType; - } - public void setRootDeviceType(String rootDeviceType) { this.rootDeviceType = rootDeviceType; } - public String getPassword() { - return password; - } - public void setPassword(String password) { this.password = password; } - public Long getJobId() { - return jobId; - } - public void setJobId(Long jobId) { this.jobId = jobId; } - public Integer getJobStatus() { - return jobStatus; - } - public void setJobStatus(Integer jobStatus) { this.jobStatus = jobStatus; } - public Boolean getForVirtualNetwork() { - return forVirtualNetwork; - } - public void setForVirtualNetwork(Boolean forVirtualNetwork) { this.forVirtualNetwork = forVirtualNetwork; } - public List getNics() { - return nics; - } - public void setNics(List nics) { this.nics = nics; } - - public List getSecurityGroupList() { - return securityGroupList; - } public void setSecurityGroupList(List securityGroups) { this.securityGroupList = securityGroups; } + + @Override + public void setProjectId(Long projectId) { + this.projectId = projectId; + } + + @Override + public void setProjectName(String projectName) { + this.projectName = projectName; + } } diff --git a/api/src/com/cloud/vm/InstanceGroup.java b/api/src/com/cloud/vm/InstanceGroup.java index a1ff22dfe2e..ee3ef6d61be 100644 --- a/api/src/com/cloud/vm/InstanceGroup.java +++ b/api/src/com/cloud/vm/InstanceGroup.java @@ -19,10 +19,9 @@ package com.cloud.vm; import java.util.Date; -import com.cloud.domain.PartOf; -import com.cloud.user.OwnedBy; +import com.cloud.acl.ControlledEntity; -public interface InstanceGroup extends OwnedBy, PartOf { +public interface InstanceGroup extends ControlledEntity { long getId(); String getName(); Date getCreated(); diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 99199b3969c..c06eae460d3 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -2369,9 +2369,10 @@ public class ApiResponseHelper implements ResponseGenerator { userVmResponse.setName(userVmData.getName()); userVmResponse.setDisplayName(userVmData.getDisplayName()); userVmResponse.setIpAddress(userVmData.getIpAddress()); - userVmResponse.setAccountName(userVmData.getAccountName()); - userVmResponse.setDomainId(userVmData.getDomainId()); - userVmResponse.setDomainName(userVmData.getDomainName()); + + populateAccount(userVmResponse, userVmData.getAccountId()); + populateDomain(userVmResponse, userVmData.getDomainId()); + userVmResponse.setCreated(userVmData.getCreated()); userVmResponse.setState(userVmData.getState()); userVmResponse.setHaEnable(userVmData.getHaEnable()); @@ -2458,6 +2459,7 @@ public class ApiResponseHelper implements ResponseGenerator { if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { //find the project Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId()); + response.setProjectId(project.getId()); response.setProjectName(project.getName()); } else { response.setAccountName(account.getAccountName()); @@ -2473,6 +2475,7 @@ public class ApiResponseHelper implements ResponseGenerator { if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { //find the project Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId()); + response.setProjectId(project.getId()); response.setProjectName(project.getName()); } else { response.setAccountName(account.getAccountName()); @@ -2481,8 +2484,15 @@ public class ApiResponseHelper implements ResponseGenerator { private void populateDomain(ControlledEntityResponse response, long domainId) { Domain domain = ApiDBUtils.findDomainById(domainId); + + if (domain.getType() == Domain.Type.Project) { + Project project = ApiDBUtils.findProjectByProjectDomainId(domainId); + domain = ApiDBUtils.findDomainById(project.getDomainId()); + } + response.setDomainId(domain.getId()); response.setDomainName(domain.getName()); + } @Override diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java index c1425c576ad..317edc642e3 100644 --- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java @@ -104,6 +104,7 @@ public class FirewallManagerImpl implements FirewallService, FirewallManager, Ma ConfigurationDao _configDao; @Inject DomainManager _domainMgr; + @Inject PortForwardingRulesDao _pfRulesDao; @Inject UserVmDao _vmDao; diff --git a/server/src/com/cloud/projects/ProjectManager.java b/server/src/com/cloud/projects/ProjectManager.java index 1cac7120e83..3966c8e900d 100644 --- a/server/src/com/cloud/projects/ProjectManager.java +++ b/server/src/com/cloud/projects/ProjectManager.java @@ -1,5 +1,7 @@ package com.cloud.projects; +import java.util.List; + import com.cloud.user.Account; public interface ProjectManager extends ProjectService { @@ -12,4 +14,6 @@ public interface ProjectManager extends ProjectService { boolean canModifyProjectDomain(Account caller, long domainId); boolean deleteAccountFromProject(long projectId, long accountId); + + List listPermittedProjectAccounts(long accountId); } diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java index 5bc3d051cfe..cb0f9762a5e 100644 --- a/server/src/com/cloud/projects/ProjectManagerImpl.java +++ b/server/src/com/cloud/projects/ProjectManagerImpl.java @@ -718,4 +718,9 @@ public class ProjectManagerImpl implements ProjectManager, Manager{ return result; } + + @Override + public List listPermittedProjectAccounts(long accountId) { + return _projectAccountDao.listPermittedAccountIds(accountId); + } } diff --git a/server/src/com/cloud/projects/dao/ProjectAccountDao.java b/server/src/com/cloud/projects/dao/ProjectAccountDao.java index 4a010213938..e7d446955ab 100644 --- a/server/src/com/cloud/projects/dao/ProjectAccountDao.java +++ b/server/src/com/cloud/projects/dao/ProjectAccountDao.java @@ -33,4 +33,6 @@ public interface ProjectAccountDao extends GenericDao{ boolean canModifyProjectAccount(long accountId, long projectAccountId); boolean canModifyProjectDomain(long accountId, long projectDomainId); + + List listPermittedAccountIds(long accountId); } diff --git a/server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java b/server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java index fbcb0287396..2ff9f7513fa 100644 --- a/server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java +++ b/server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java @@ -17,6 +17,7 @@ */ package com.cloud.projects.dao; +import java.util.ArrayList; import java.util.List; import javax.ejb.Local; @@ -123,4 +124,19 @@ public class ProjectAccountDaoImpl extends GenericDaoBase listPermittedAccountIds(long accountId) { + List permittedAccounts = new ArrayList(); + SearchCriteria sc = AllFieldsSearch.create(); + sc.setParameters("accountId", accountId); + + List records = listBy(sc); + + for (ProjectAccountVO record : records) { + permittedAccounts.add(record.getProjectAccountId()); + } + + return permittedAccounts; + } } diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 65ab7ee2c25..1fc164af6a3 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -142,6 +142,8 @@ import com.cloud.offerings.NetworkOfferingVO; import com.cloud.offerings.dao.NetworkOfferingDao; import com.cloud.org.Cluster; import com.cloud.org.Grouping; +import com.cloud.projects.Project; +import com.cloud.projects.ProjectManager; import com.cloud.server.Criteria; import com.cloud.service.ServiceOfferingVO; import com.cloud.service.dao.ServiceOfferingDao; @@ -343,6 +345,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager protected ResourceLimitService _resourceLimitMgr; @Inject protected FirewallManager _firewallMgr; + @Inject + protected ProjectManager _projectMgr; protected ScheduledExecutorService _executor = null; protected int _expungeInterval; @@ -368,8 +372,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override @ActionEvent(eventType = EventTypes.EVENT_VM_RESETPASSWORD, eventDescription = "resetting Vm password", async = true) public UserVm resetVMPassword(ResetVMPasswordCmd cmd, String password) throws ResourceUnavailableException, InsufficientCapacityException { - Account account = UserContext.current().getCaller(); - Long userId = UserContext.current().getCallerUserId(); + Account caller = UserContext.current().getCaller(); Long vmId = cmd.getId(); UserVmVO userVm = _vmDao.findById(cmd.getId()); @@ -388,7 +391,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state"); } - userId = accountAndUserValidation(vmId, account, userId, userVm); + _accountMgr.checkAccess(caller, null, userVm); boolean result = resetVMPasswordInternal(cmd, password); @@ -557,18 +560,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager // If the account is not an admin, check that the volume and the virtual machine are owned by the account that was // passed in _accountMgr.checkAccess(account, null, volume); - /* - * if (account != null) { if (!isAdmin(account.getType())) { if (account.getId() != volume.getAccountId()) { throw new - * PermissionDeniedException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName() - * + ". Permission denied."); } - * - * if (account.getId() != vm.getAccountId()) { throw new PermissionDeniedException("Unable to find VM with ID: " + vmId - * + " for account: " + account.getAccountName() + ". Permission denied"); } } else { if - * (!_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId()) || - * !_domainDao.isChildDomain(account.getDomainId(), vm.getDomainId())) { throw new - * PermissionDeniedException("Unable to attach volume " + volumeId + " to virtual machine instance " + vmId + - * ". Permission denied."); } } } - */ VolumeVO rootVolumeOfVm = null; List rootVolumesOfVm = _volsDao.findByInstanceAndType(vmId, Volume.Type.ROOT); @@ -750,13 +741,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager // If the account is not an admin, check that the volume is owned by the account that was passed in _accountMgr.checkAccess(account, null, volume); - /* - * if (!isAdmin) { if (account.getId() != volume.getAccountId()) { throw new - * InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " + - * account.getAccountName()); } } else if (account != null) { if (!_domainDao.isChildDomain(account.getDomainId(), - * volume.getDomainId())) { throw new PermissionDeniedException("Unable to detach volume with ID: " + volumeId + - * ", permission denied."); } } - */ // Check that the volume is a data volume if (volume.getVolumeType() != Volume.Type.DATADISK) { @@ -902,8 +886,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager public UserVm upgradeVirtualMachine(UpgradeVMCmd cmd) { Long virtualMachineId = cmd.getId(); Long serviceOfferingId = cmd.getServiceOfferingId(); - Account account = UserContext.current().getCaller(); - Long userId = UserContext.current().getCallerUserId(); + Account caller = UserContext.current().getCaller(); // Verify input parameters UserVmVO vmInstance = _vmDao.findById(virtualMachineId); @@ -911,7 +894,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("unable to find a virtual machine with id " + virtualMachineId); } - userId = accountAndUserValidation(virtualMachineId, account, userId, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // Check that the specified service offering ID is valid ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId); @@ -977,22 +960,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager return _vmDao.findById(vmInstance.getId()); } - private Long accountAndUserValidation(Long virtualMachineId, Account account, Long userId, UserVmVO vmInstance) { - if (account != null) { - if (!isAdmin(account.getType()) && (account.getId() != vmInstance.getAccountId())) { - throw new InvalidParameterValueException("Unable to find a virtual machine with id " + virtualMachineId + " for this account"); - } else if (!_domainDao.isChildDomain(account.getDomainId(), vmInstance.getDomainId())) { - throw new InvalidParameterValueException("Invalid virtual machine id (" + virtualMachineId + ") given, unable to upgrade virtual machine."); - } - } - - // If command is executed via 8096 port, set userId to the id of System account (1) - if (userId == null) { - userId = Long.valueOf(User.UID_SYSTEM); - } - return userId; - } - @Override public HashMap getVirtualMachineStatistics(long hostId, String hostName, List vmIds) throws CloudRuntimeException { HashMap vmStatsById = new HashMap(); @@ -1033,12 +1000,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager public UserVm recoverVirtualMachine(RecoverVMCmd cmd) throws ResourceAllocationException, CloudRuntimeException { Long vmId = cmd.getId(); - Account accountHandle = UserContext.current().getCaller(); - - // if account is removed, return error - if (accountHandle != null && accountHandle.getRemoved() != null) { - throw new InvalidParameterValueException("The account " + accountHandle.getId() + " is removed"); - } + Account caller = UserContext.current().getCaller(); // Verify input parameters UserVmVO vm = _vmDao.findById(vmId.longValue()); @@ -1046,11 +1008,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (vm == null) { throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - - if ((accountHandle != null) && !_domainDao.isChildDomain(accountHandle.getDomainId(), vm.getDomainId())) { - // the domain in which the VM lives is not in the admin's domain tree - throw new InvalidParameterValueException("Unable to recover virtual machine with id " + vmId + ", invalid id given."); - } + + //check permissions + _accountMgr.checkAccess(caller, null, vm); if (vm.getRemoved() != null) { if (s_logger.isDebugEnabled()) { @@ -1300,12 +1260,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @ActionEvent(eventType = EventTypes.EVENT_TEMPLATE_CREATE, eventDescription = "creating template", create = true) public VMTemplateVO createPrivateTemplateRecord(CreateTemplateCmd cmd) throws ResourceAllocationException { Long userId = UserContext.current().getCallerUserId(); - if (userId == null) { - userId = User.UID_SYSTEM; - } - Account account = UserContext.current().getCaller(); - boolean isAdmin = ((account == null) || isAdmin(account.getType())); + Account caller = UserContext.current().getCaller(); + boolean isAdmin = ((caller == null) || isAdmin(caller.getType())); VMTemplateVO privateTemplate = null; @@ -1321,7 +1278,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } if(cmd.getTemplateTag() != null){ - if(!_accountService.isRootAdmin(account.getType())){ + if(!_accountService.isRootAdmin(caller.getType())){ throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied"); } } @@ -1361,6 +1318,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (volume == null) { throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId); } + //check permissions + _accountMgr.checkAccess(caller, null, volume); + // If private template is created from Volume, check that the volume will not be active when the private template is // created if (!_storageMgr.volumeInactive(volume)) { @@ -1378,6 +1338,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (snapshot == null) { throw new InvalidParameterValueException("Failed to create private template record, unable to find snapshot " + snapshotId); } + + //check permissions + _accountMgr.checkAccess(caller, null, snapshot); if (snapshot.getStatus() != Snapshot.Status.BackedUp) { throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.Status.BackedUp + " state yet and can't be used for template creation"); @@ -1389,14 +1352,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager volume = _volsDao.findById(snapshot.getVolumeId()); } - if (!isAdmin) { - if (account.getId() != accountId) { - throw new PermissionDeniedException("Unable to create a template permission denied."); - } - } else if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) { - throw new PermissionDeniedException("Unable to create a template permission denied."); - } - VMTemplateVO existingTemplate = _templateDao.findByTemplateNameAccountId(name, accountId); if (existingTemplate != null) { throw new InvalidParameterValueException("Failed to create private template " + name + ", a template with that name already exists."); @@ -1747,8 +1702,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager Boolean ha = cmd.getHaEnable(); Long id = cmd.getId(); Long osTypeId = cmd.getOsTypeId(); - Account account = UserContext.current().getCaller(); - Long userId = UserContext.current().getCallerUserId(); String userData = cmd.getUserData(); // Input validation @@ -1766,7 +1719,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("Can't enable ha for the vm as it's created from the Service offering having HA disabled"); } - userId = accountAndUserValidation(id, account, userId, vmInstance); + _accountMgr.checkAccess(UserContext.current().getCaller(), null, vmInstance); if (displayName == null) { displayName = vmInstance.getDisplayName(); @@ -1832,8 +1785,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override @ActionEvent(eventType = EventTypes.EVENT_VM_REBOOT, eventDescription = "rebooting Vm", async = true) public UserVm rebootVirtualMachine(RebootVMCmd cmd) throws InsufficientCapacityException, ResourceUnavailableException { - Account account = UserContext.current().getCaller(); - Long userId = UserContext.current().getCallerUserId(); + Account caller = UserContext.current().getCaller(); Long vmId = cmd.getId(); // Verify input parameters @@ -1842,9 +1794,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - userId = accountAndUserValidation(vmId, account, userId, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); - return rebootVirtualMachine(userId, vmId); + return rebootVirtualMachine(UserContext.current().getCallerUserId(), vmId); } @Override @@ -1856,41 +1808,13 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override @DB public InstanceGroupVO createVmGroup(CreateVMGroupCmd cmd) { - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long domainId = cmd.getDomainId(); String accountName = cmd.getAccountName(); - Long accountId = null; String groupName = cmd.getGroupName(); - - if (account == null) { - account = _accountDao.findById(1L); - } - - if (account != null) { - if (isAdmin(account.getType())) { - if ((domainId != null) && (accountName != null)) { - if (!_domainDao.isChildDomain(account.getDomainId(), domainId)) { - throw new PermissionDeniedException("Unable to create vm group in domain " + domainId + ", permission denied."); - } - - Account userAccount = _accountDao.findActiveAccount(accountName, domainId); - if (userAccount != null) { - accountId = userAccount.getId(); - } else { - throw new InvalidParameterValueException("Failed to create vm group " + groupName + ", unable to find account " + accountName + " in domain " + domainId); - } - } else { - // the admin must be creating the vm group - accountId = account.getId(); - } - } else { - accountId = account.getId(); - } - } - - if (accountId == null) { - throw new InvalidParameterValueException("Failed to create vm group " + groupName + ", unable to find account for which to create a group."); - } + + Account owner = _accountMgr.finalizeOwner(caller, accountName, domainId); + long accountId = owner.getId(); // Check if name is already in use by this account boolean isNameInUse = _vmGroupDao.isNameInUse(accountId, groupName); @@ -1903,7 +1827,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } @DB - private InstanceGroupVO createVmGroup(String groupName, long accountId) { + protected InstanceGroupVO createVmGroup(String groupName, long accountId) { Account account = null; final Transaction txn = Transaction.currentTxn(); txn.start(); @@ -1929,7 +1853,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override public boolean deleteVmGroup(DeleteVMGroupCmd cmd) { - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long groupId = cmd.getId(); // Verify input parameters @@ -1937,15 +1861,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if ((group == null) || (group.getRemoved() != null)) { throw new InvalidParameterValueException("unable to find a vm group with id " + groupId); } - - if (account != null) { - Account tempAccount = _accountDao.findById(group.getAccountId()); - if (!isAdmin(account.getType()) && (account.getId() != group.getAccountId())) { - throw new PermissionDeniedException("unable to find a group with id " + groupId); - } else if (!_domainDao.isChildDomain(account.getDomainId(), tempAccount.getDomainId())) { - throw new PermissionDeniedException("Invalid group id (" + groupId + ") given, unable to update the group."); - } - } + + _accountMgr.checkAccess(caller, null, group); return deleteVmGroup(groupId); } @@ -2031,7 +1948,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager return null; } } catch (Exception e) { - s_logger.warn("Error trying to get group for a vm: " + e); + s_logger.warn("Error trying to get group for a vm: ", e); return null; } } @@ -2046,7 +1963,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager _groupVMMapDao.expunge(sc); } } catch (Exception e) { - s_logger.warn("Error trying to remove vm from group: " + e); + s_logger.warn("Error trying to remove vm from group: ", e); } } @@ -2837,7 +2754,6 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override @ActionEvent(eventType = EventTypes.EVENT_VM_STOP, eventDescription = "stopping Vm", async = true) public UserVm stopVirtualMachine(long vmId, boolean forced) throws ConcurrentOperationException { - // Input validation Account caller = UserContext.current().getCaller(); Long userId = UserContext.current().getCallerUserId(); @@ -2852,7 +2768,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - userId = accountAndUserValidation(vmId, caller, userId, vm); + _accountMgr.checkAccess(caller, null, vm); UserVO user = _userDao.findById(userId); try { @@ -2877,12 +2793,12 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager @Override public UserVm startVirtualMachine(long vmId) throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException { // Input validation - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long userId = UserContext.current().getCallerUserId(); // if account is removed, return error - if (account != null && account.getRemoved() != null) { - throw new PermissionDeniedException("The account " + account.getId() + " is removed"); + if (caller != null && caller.getRemoved() != null) { + throw new PermissionDeniedException("The account " + caller.getId() + " is removed"); } UserVmVO vm = _vmDao.findById(vmId); @@ -2890,7 +2806,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - userId = accountAndUserValidation(vmId, account, userId, vm); + _accountMgr.checkAccess(caller, null, vm); UserVO user = _userDao.findById(userId); //check if vm is security group enabled @@ -2908,12 +2824,12 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } } - return _itMgr.start(vm, null, user, account); + return _itMgr.start(vm, null, user, caller); } @Override public UserVm destroyVm(long vmId) throws ResourceUnavailableException, ConcurrentOperationException { - Account account = UserContext.current().getCaller(); + Account caller = UserContext.current().getCaller(); Long userId = UserContext.current().getCallerUserId(); // Verify input parameters @@ -2927,14 +2843,14 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager return vm; } - userId = accountAndUserValidation(vmId, account, userId, vm); - User caller = _userDao.findById(userId); + _accountMgr.checkAccess(caller, null, vm); + User userCaller = _userDao.findById(userId); boolean status; State vmState = vm.getState(); try { - status = _itMgr.destroy(vm, caller, account); + status = _itMgr.destroy(vm, userCaller, caller); } catch (OperationTimedoutException e) { throw new CloudRuntimeException("Unable to destroy " + vm, e); } @@ -2966,8 +2882,9 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager String accountName = cmd.getAccountName(); Boolean isRecursive = cmd.isRecursive(); String hypervisor = cmd.getHypervisor(); - Long accountId = null; + List permittedAccounts = new ArrayList(); String path = null; + Long projectId = cmd.getProjectId(); if (isRecursive != null && isRecursive && domainId == null) { throw new InvalidParameterValueException("Please enter a parent domain id for listing vms recursively"); @@ -2987,11 +2904,11 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (_accountMgr.isAdmin(caller.getType())) { isAdmin = true; if (accountName != null && domainId != null) { - caller = _accountDao.findActiveAccount(accountName, domainId); - if (caller == null) { + Account account = _accountDao.findActiveAccount(accountName, domainId); + if (account == null) { throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId); } - accountId = caller.getId(); + permittedAccounts.add(caller.getId()); } if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { @@ -3005,7 +2922,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (domainId != null && domainId.longValue() != caller.getDomainId()) { throw new PermissionDeniedException("Caller is not authorised to see domain id=" + domainId + " entries"); } - accountId = caller.getId(); + permittedAccounts.add(caller.getId()); } if (isRecursive != null && isRecursive && isAdmin) { @@ -3015,6 +2932,20 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager domainId = null; } } + + //set project information + if (projectId != null) { + Project project = _projectMgr.getProject(projectId); + if (project == null) { + throw new InvalidParameterValueException("Unable to find project by id " + projectId); + } + if (!_projectMgr.canAccessAccount(caller, project.getProjectAccountId())) { + throw new InvalidParameterValueException("Account " + caller + " can't access project id=" + projectId); + } + permittedAccounts.add(project.getProjectAccountId()); + } else { + permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId())); + } Criteria c = new Criteria("id", Boolean.TRUE, cmd.getStartIndex(), cmd.getPageSizeVal()); c.addCriteria(Criteria.KEYWORD, cmd.getKeyword()); @@ -3047,8 +2978,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager c.addCriteria(Criteria.STORAGE_ID, cmd.getStorageId()); } - if (accountId != null) { - c.addCriteria(Criteria.ACCOUNTID, new Object[] { accountId }); + if (!permittedAccounts.isEmpty()) { + c.addCriteria(Criteria.ACCOUNTID, permittedAccounts.toArray()); } c.addCriteria(Criteria.ISADMIN, isAdmin); diff --git a/server/src/com/cloud/vm/dao/UserVmDaoImpl.java b/server/src/com/cloud/vm/dao/UserVmDaoImpl.java index 306040af3a5..691839d9903 100755 --- a/server/src/com/cloud/vm/dao/UserVmDaoImpl.java +++ b/server/src/com/cloud/vm/dao/UserVmDaoImpl.java @@ -30,7 +30,6 @@ import javax.ejb.Local; import org.apache.log4j.Logger; -import com.cloud.host.dao.HostDaoImpl; import com.cloud.user.Account; import com.cloud.utils.component.ComponentLocator; import com.cloud.utils.db.Attribute; @@ -77,7 +76,7 @@ public class UserVmDaoImpl extends GenericDaoBase implements Use private static final int VM_DETAILS_BATCH_SIZE=100; private static final String VM_DETAILS = "select vm_instance.id, " + - "account.account_name, account.type, domain.name, instance_group.id, instance_group.name," + + "account.id, account.account_name, account.type, domain.name, instance_group.id, instance_group.name," + "data_center.id, data_center.name, data_center.is_security_group_enabled, host.id, host.name, " + "vm_template.id, vm_template.name, vm_template.display_text, iso.id, iso.name, " + "vm_template.enable_password, service_offering.id, disk_offering.name, storage_pool.id, storage_pool.pool_type, " + @@ -419,6 +418,7 @@ public class UserVmDaoImpl extends GenericDaoBase implements Use if (!userVmData.isInitialized()){ //account.account_name, account.type, domain.name, instance_group.id, instance_group.name," + userVmData.setAccountId(rs.getLong("account.id")); userVmData.setAccountName(rs.getString("account.account_name")); userVmData.setDomainName(rs.getString("domain.name")); diff --git a/server/src/com/cloud/vm/dao/UserVmData.java b/server/src/com/cloud/vm/dao/UserVmData.java index c36cee6c78b..b45cd54d409 100644 --- a/server/src/com/cloud/vm/dao/UserVmData.java +++ b/server/src/com/cloud/vm/dao/UserVmData.java @@ -17,18 +17,12 @@ */ package com.cloud.vm.dao; -import java.util.ArrayList; import java.util.Date; import java.util.HashSet; import java.util.List; import java.util.Set; -import com.cloud.api.ApiConstants; import com.cloud.api.response.IngressRuleResponse; -import com.cloud.api.response.NicResponse; -import com.cloud.api.response.SecurityGroupResponse; -import com.cloud.serializer.Param; -import com.google.gson.annotations.SerializedName; public class UserVmData { private Long id; @@ -72,6 +66,7 @@ public class UserVmData { private Integer jobStatus; private Set nics; private String hypervisor; + private long accountId; private boolean initialized; @@ -673,6 +668,13 @@ public class UserVmData { public String toString(){ return "id=" + id + ", name=" + name; } - + + public long getAccountId() { + return accountId; + } + + public void setAccountId(long accountId) { + this.accountId = accountId; + } }