diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java index 6a7664420b1..a2399cfe35e 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java @@ -21,6 +21,7 @@ import java.util.Map; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -35,7 +36,7 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.user.Account; import com.cloud.user.UserAccount; -@APICommand(name = "createAccount", description = "Creates an account", responseObject = AccountResponse.class) +@APICommand(name = "createAccount", description = "Creates an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account }) public class CreateAccountCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(CreateAccountCmd.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java index 7c1b206d067..f1547a42454 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/DeleteAccountCmd.java @@ -20,6 +20,9 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -36,7 +39,7 @@ import com.cloud.event.EventTypes; import com.cloud.user.Account; import com.cloud.user.User; -@APICommand(name = "deleteAccount", description = "Deletes a account, and all users associated with this account", responseObject = SuccessResponse.class) +@APICommand(name = "deleteAccount", description = "Deletes a account, and all users associated with this account", responseObject = SuccessResponse.class, entityType = { IAMEntityType.Account }) public class DeleteAccountCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(DeleteAccountCmd.class.getName()); private static final String s_name = "deleteaccountresponse"; @@ -44,7 +47,7 @@ public class DeleteAccountCmd extends BaseAsyncCmd { ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, required = true, description = "Account id") private Long id; diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java index bc6bfa5d1dc..028481c6a56 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/DisableAccountCmd.java @@ -20,6 +20,9 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -38,7 +41,7 @@ import com.cloud.exception.ConcurrentOperationException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.user.Account; -@APICommand(name = "disableAccount", description = "Disables an account", responseObject = AccountResponse.class) +@APICommand(name = "disableAccount", description = "Disables an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account }) public class DisableAccountCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(DisableAccountCmd.class.getName()); private static final String s_name = "disableaccountresponse"; @@ -46,6 +49,7 @@ public class DisableAccountCmd extends BaseAsyncCmd { ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id") private Long id; diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java index 8f97d230ca7..9e38d3aa0a2 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/EnableAccountCmd.java @@ -20,6 +20,9 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -33,7 +36,7 @@ import org.apache.cloudstack.region.RegionService; import com.cloud.user.Account; -@APICommand(name = "enableAccount", description = "Enables an account", responseObject = AccountResponse.class) +@APICommand(name = "enableAccount", description = "Enables an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account }) public class EnableAccountCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(EnableAccountCmd.class.getName()); private static final String s_name = "enableaccountresponse"; @@ -41,6 +44,7 @@ public class EnableAccountCmd extends BaseCmd { ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id") private Long id; diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java index 93ec1be9f88..ddc1628e859 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/LockAccountCmd.java @@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.admin.account; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.BaseCmd; @@ -27,7 +28,7 @@ import org.apache.cloudstack.api.response.DomainResponse; import com.cloud.user.Account; -@APICommand(name = "lockAccount", description = "Locks an account", responseObject = AccountResponse.class) +@APICommand(name = "lockAccount", description = "Locks an account", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account }) public class LockAccountCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(LockAccountCmd.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java b/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java index f5038d57e3b..d42384862fb 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/account/UpdateAccountCmd.java @@ -23,6 +23,9 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -36,7 +39,7 @@ import org.apache.cloudstack.region.RegionService; import com.cloud.user.Account; -@APICommand(name = "updateAccount", description = "Updates account information for the authenticated user", responseObject = AccountResponse.class) +@APICommand(name = "updateAccount", description = "Updates account information for the authenticated user", responseObject = AccountResponse.class, entityType = { IAMEntityType.Account }) public class UpdateAccountCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(UpdateAccountCmd.class.getName()); private static final String s_name = "updateaccountresponse"; @@ -44,7 +47,7 @@ public class UpdateAccountCmd extends BaseCmd { ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = AccountResponse.class, description = "Account id") private Long id; diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java index 0e01be142ee..1cec188cde4 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/ListInternalLBVMsCmd.java @@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.admin.internallb; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -34,7 +35,7 @@ import org.apache.cloudstack.api.response.ZoneResponse; import com.cloud.network.router.VirtualRouter.Role; -@APICommand(name = "listInternalLoadBalancerVMs", description = "List internal LB VMs.", responseObject = DomainRouterResponse.class) +@APICommand(name = "listInternalLoadBalancerVMs", description = "List internal LB VMs.", responseObject = DomainRouterResponse.class, entityType = { IAMEntityType.VirtualMachine }) public class ListInternalLBVMsCmd extends BaseListProjectAndAccountResourcesCmd { public static final Logger s_logger = Logger.getLogger(ListInternalLBVMsCmd.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java index 56dcb4f8403..b747c309b78 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/StartInternalLBVMCmd.java @@ -18,6 +18,9 @@ package org.apache.cloudstack.api.command.admin.internallb; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -36,7 +39,7 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.router.VirtualRouter; import com.cloud.network.router.VirtualRouter.Role; -@APICommand(name = "startInternalLoadBalancerVM", responseObject = DomainRouterResponse.class, description = "Starts an existing internal lb vm.") +@APICommand(name = "startInternalLoadBalancerVM", responseObject = DomainRouterResponse.class, description = "Starts an existing internal lb vm.", entityType = { IAMEntityType.VirtualMachine }) public class StartInternalLBVMCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(StartInternalLBVMCmd.class.getName()); private static final String s_name = "startinternallbvmresponse"; @@ -44,7 +47,7 @@ public class StartInternalLBVMCmd extends BaseAsyncCmd { ///////////////////////////////////////////////////// //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// - + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = DomainRouterResponse.class, required = true, description = "the ID of the internal lb vm") private Long id; diff --git a/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java b/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java index 9da4db072db..f8a8b7bb111 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/internallb/StopInternalLBVMCmd.java @@ -18,6 +18,9 @@ package org.apache.cloudstack.api.command.admin.internallb; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.IAMEntityType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -35,7 +38,7 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.router.VirtualRouter; import com.cloud.network.router.VirtualRouter.Role; -@APICommand(name = "stopInternalLoadBalancerVM", description = "Stops an Internal LB vm.", responseObject = DomainRouterResponse.class) +@APICommand(name = "stopInternalLoadBalancerVM", description = "Stops an Internal LB vm.", responseObject = DomainRouterResponse.class, entityType = { IAMEntityType.VirtualMachine }) public class StopInternalLBVMCmd extends BaseAsyncCmd { public static final Logger s_logger = Logger.getLogger(StopInternalLBVMCmd.class.getName()); private static final String s_name = "stopinternallbvmresponse"; @@ -43,7 +46,7 @@ public class StopInternalLBVMCmd extends BaseAsyncCmd { // /////////////////////////////////////////////////// // ////////////// API parameters ///////////////////// // /////////////////////////////////////////////////// - + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = DomainRouterResponse.class, required = true, description = "the ID of the internal lb vm") private Long id; diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 8f4d3abdd7a..d5e4afc7a34 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -1106,7 +1106,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed"); } - checkAccess(CallContext.current().getCallingAccount(), null, true, account); + checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account); if (firstName != null) { if (firstName.isEmpty()) { @@ -1220,7 +1220,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed"); } - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); boolean success = doSetUserStatus(userId, State.disabled); if (success) { @@ -1258,7 +1258,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed"); } - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); boolean success = Transaction.execute(new TransactionCallback() { @Override @@ -1307,7 +1307,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed"); } - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); // make sure the account is enabled too // if the user is either locked already or disabled already, don't change state...only lock currently enabled @@ -1416,7 +1416,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // Check if user performing the action is allowed to modify this account Account caller = CallContext.current().getCallingAccount(); - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); boolean success = enableAccount(account.getId()); if (success) { @@ -1450,7 +1450,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed"); } - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); if (lockAccount(account.getId())) { CallContext.current().putContextParameter(Account.class, account.getUuid()); @@ -1480,7 +1480,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed"); } - checkAccess(caller, null, true, account); + checkAccess(caller, AccessType.OperateEntry, true, account); if (disableAccount(account.getId())) { CallContext.current().putContextParameter(Account.class, account.getUuid()); @@ -1599,7 +1599,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("The user is default and can't be removed"); } - checkAccess(CallContext.current().getCallingAccount(), null, true, account); + checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account); CallContext.current().putContextParameter(User.class, user.getUuid()); return _userDao.remove(id); }