From 39c0a302b4601a29c34f2b39e98180cd433ab8d4 Mon Sep 17 00:00:00 2001
From: Prachi Damle <prachi@cloud.com>
Date: Wed, 22 Jan 2014 13:58:34 -0800
Subject: [PATCH] Fix the isRootAdmin and isDomainAdmin to return true or false
 even if the permission is denied by IAM

---
 .../com/cloud/user/AccountManagerImpl.java    | 24 ++++++++++++-------
 .../acl/RoleBasedAPIAccessChecker.java        |  9 +++++++
 setup/db/db/schema-430to440.sql               |  4 ----
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 9b9a4b80f4a..f89e629ac3d 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -368,11 +368,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     public boolean isRootAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
         for (SecurityChecker checker : _securityCheckers) {
-            if (checker.checkAccess(acct, null, null, "SystemCapability")) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+            try {
+                if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                    }
+                    return true;
                 }
-                return true;
+            } catch (PermissionDeniedException ex) {
+                return false;
             }
         }
 
@@ -383,11 +387,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     public boolean isDomainAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
         for (SecurityChecker checker : _securityCheckers) {
-            if (checker.checkAccess(acct, null, null, "DomainCapability")) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+            try {
+                if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                    }
+                    return true;
                 }
-                return true;
+            } catch (PermissionDeniedException ex) {
+                return false;
             }
         }
         return false;
diff --git a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
index 67b6f466faf..acd14578ee2 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java
@@ -111,6 +111,15 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
             }
          }
 
+        // add the system-domain capability
+
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
+                "SystemCapability", null, Permission.Allow);
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
+                "DomainCapability", null, Permission.Allow);
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
+                "DomainResourceCapability", null, Permission.Allow);
+
         for (PluggableService service : _services) {
             for (Class<?> cmdClass : service.getCommands()) {
                 APICommand command = cmdClass.getAnnotation(APICommand.class);
diff --git a/setup/db/db/schema-430to440.sql b/setup/db/db/schema-430to440.sql
index 7cf569a2259..5cd54af2249 100644
--- a/setup/db/db/schema-430to440.sql
+++ b/setup/db/db/schema-430to440.sql
@@ -538,7 +538,3 @@ INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values
 INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(4, 4, Now());
 INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(5, 5, Now());
 
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (1, 2, 'SystemCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (2, 3, 'DomainCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (3, 4, 'DomainResourceCapability', 'Allow', Now());
-