diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index f31b1f899a7..9b0fe1c4c0a 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -685,7 +685,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { cmd.getDomainId(), cmd.isRecursive(), null); _accountMgr.buildACLSearchParameters(caller, id, cmd.getAccountName(), cmd.getProjectId(), permittedDomains, permittedAccounts, permittedResources, domainIdRecursiveListProject, cmd.listAll(), false, "listInstanceGroups"); - Long domainId = domainIdRecursiveListProject.first(); + // Long domainId = domainIdRecursiveListProject.first(); Boolean isRecursive = domainIdRecursiveListProject.second(); ListProjectResourcesCriteria listProjectResourcesCriteria = domainIdRecursiveListProject.third(); diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index b48f047d2c3..b7eb712dadc 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2165,8 +2165,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M List permittedResources, Ternary domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation, String action) { - Account owner = null; // for impersonation Long domainId = domainIdRecursiveListProject.first(); + Long accountId = null; if (id == null) { // if id is specified, it will ignore all other parameters if (domainId != null) { @@ -2179,7 +2179,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M checkAccess(caller, domain); } - // specific account is specified, we need to impersonate that account instead of caller + // specific account is specified, we need to filter contents to only show contents owned by that account. if (accountName != null) { if (projectId != null) { throw new InvalidParameterValueException("Account and projectId can't be specified together"); @@ -2198,7 +2198,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M if (userAccount != null) { //check permissions checkAccess(caller, null, userAccount); - owner = userAccount; + accountId = userAccount.getId(); } else { throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid()); } @@ -2226,10 +2226,6 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } } } else { - if (owner == null) { - // no impersonation, so we directly check permission for caller - owner = caller; - } AccessType accessType = AccessType.UseEntry; if (listAll || id != null) { // listAll = true or id given should show all resources that owner has ListEntry access type. @@ -2245,18 +2241,37 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M return; // no futher filtering QuerySelector qs = _querySelectors.get(0); - boolean grantedAll = qs.isGrantedAll(owner, action, accessType); + boolean grantedAll = qs.isGrantedAll(caller, action, accessType); + if ( grantedAll ){ - if (domainId != null) { + if (accountId != null) { + permittedAccounts.add(accountId); + domainIdRecursiveListProject.second(false); // isRecursive is only valid if only domainId is passed. + } else if (domainId != null) { permittedDomains.add(domainId); + } else { + domainIdRecursiveListProject.second(false); // isRecursive is only valid if only domainId is passed. } } else { - List grantedDomains = qs.getAuthorizedDomains(owner, action, accessType); - List grantedAccounts = qs.getAuthorizedAccounts(owner, action, accessType); - List grantedResources = qs.getAuthorizedResources(owner, action, accessType); + List grantedDomains = qs.getAuthorizedDomains(caller, action, accessType); + List grantedAccounts = qs.getAuthorizedAccounts(caller, action, accessType); + List grantedResources = qs.getAuthorizedResources(caller, action, accessType); - if (domainId != null) { + if (accountId != null) { + // specific account filter is specified + if (grantedAccounts.contains(accountId)) { + permittedAccounts.add(accountId); + } else { + //TODO: we should also filter granted resources based on accountId passed. + // potential bug, if accountId is passed, it may show some granted resources that may not be owned by that account. + // to fix this, we need to change the interface to also pass ControlledEntity class to use EntityManager to find + // ControlledEntity instance to check accountId. But this has some issues for those non controlled entities, + // like NetworkACLItem + permittedResources.addAll(grantedResources); + } + domainIdRecursiveListProject.second(false); // isRecursive is only valid if only domainId is passed. + } else if (domainId != null) { // specific domain and no account is specified if (grantedDomains.contains(domainId)) { permittedDomains.add(domainId); @@ -2279,6 +2294,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M permittedDomains.addAll(grantedDomains); permittedAccounts.addAll(grantedAccounts); permittedResources.addAll(grantedResources); + domainIdRecursiveListProject.second(false); // isRecursive is only valid if only domainId is passed. } if (permittedDomains.isEmpty() && permittedAccounts.isEmpty() & permittedResources.isEmpty()) {