From 35afd012f575a901aa452c2903d2a43e8b4044a5 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Tue, 17 Dec 2013 11:17:34 -0800 Subject: [PATCH] CLOUDSTACK-4852: Since upgrade to 4.2 only users at the zone-attached domain level can manipulate VMs Changes: - The vmprofile owner passed in to the planner should be the VM's account and not the caller - Do not do the access check for Root Admin --- .../src/com/cloud/vm/VirtualMachineManagerImpl.java | 3 ++- .../src/com/cloud/deploy/DeploymentPlanningManagerImpl.java | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/engine/orchestration/src/com/cloud/vm/VirtualMachineManagerImpl.java b/engine/orchestration/src/com/cloud/vm/VirtualMachineManagerImpl.java index 9537d7422f7..4a5c2cc383a 100755 --- a/engine/orchestration/src/com/cloud/vm/VirtualMachineManagerImpl.java +++ b/engine/orchestration/src/com/cloud/vm/VirtualMachineManagerImpl.java @@ -842,7 +842,8 @@ public class VirtualMachineManagerImpl extends ManagerBase implements VirtualMac } } - VirtualMachineProfileImpl vmProfile = new VirtualMachineProfileImpl(vm, template, offering, account, params); + Account owner = _entityMgr.findById(Account.class, vm.getAccountId()); + VirtualMachineProfileImpl vmProfile = new VirtualMachineProfileImpl(vm, template, offering, owner, params); DeployDestination dest = null; try { dest = _dpMgr.planDeployment(vmProfile, plan, avoids); diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java index b528ae31cb3..65759e0c3b4 100644 --- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java +++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java @@ -460,12 +460,12 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy boolean isExplicit = false; VirtualMachine vm = vmProfile.getVirtualMachine(); + // check if zone is dedicated. if yes check if vm owner has acess to it. DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId()); - if (dedicatedZone != null) { + if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) { long accountDomainId = vmProfile.getOwner().getDomainId(); long accountId = vmProfile.getOwner().getAccountId(); - // If a zone is dedicated to an account then all hosts in this zone // will be explicitly dedicated to // that account. So there won't be any shared hosts in the zone, the