mirror of https://github.com/apache/cloudstack.git
Do account permission checks for snapshots the way it's done for all other ControlledEntities
This commit is contained in:
alena
parent
0afb545e07
commit
78b2df8549
|
|
@ -20,9 +20,10 @@ package com.cloud.storage;
|
|||
|
||||
import java.util.Date;
|
||||
|
||||
import com.cloud.acl.ControlledEntity;
|
||||
import com.cloud.hypervisor.Hypervisor.HypervisorType;
|
||||
|
||||
public interface Snapshot {
|
||||
public interface Snapshot extends ControlledEntity{
|
||||
public enum Type {
|
||||
MANUAL,
|
||||
RECURRING,
|
||||
|
|
|
|||
|
|
@ -26,19 +26,16 @@ import javax.ejb.Local;
|
|||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.cloud.storage.SnapshotVO;
|
||||
import com.cloud.storage.Snapshot.Type;
|
||||
import com.cloud.storage.SnapshotVO;
|
||||
import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
|
||||
import com.cloud.utils.db.Filter;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.GenericSearchBuilder;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
import com.cloud.utils.db.Transaction;
|
||||
import com.cloud.utils.db.SearchCriteria.Func;
|
||||
import com.cloud.vm.VMInstanceVO;
|
||||
import com.cloud.vm.VirtualMachine;
|
||||
import com.cloud.vm.VirtualMachine.State;
|
||||
import com.cloud.utils.db.Transaction;
|
||||
|
||||
@Local (value={SnapshotDao.class})
|
||||
public class SnapshotDaoImpl extends GenericDaoBase<SnapshotVO, Long> implements SnapshotDao {
|
||||
|
|
|
|||
|
|
@ -63,8 +63,8 @@ import com.cloud.exception.PermissionDeniedException;
|
|||
import com.cloud.exception.ResourceAllocationException;
|
||||
import com.cloud.exception.StorageUnavailableException;
|
||||
import com.cloud.host.HostVO;
|
||||
import com.cloud.host.dao.HostDetailsDao;
|
||||
import com.cloud.host.dao.HostDao;
|
||||
import com.cloud.host.dao.HostDetailsDao;
|
||||
import com.cloud.hypervisor.Hypervisor.HypervisorType;
|
||||
import com.cloud.storage.Snapshot;
|
||||
import com.cloud.storage.Snapshot.Status;
|
||||
|
|
@ -345,7 +345,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
VolumeVO volume = null;
|
||||
boolean backedUp = false;
|
||||
// does the caller have the authority to act on this volume
|
||||
checkAccountPermissions(v.getAccountId(), v.getDomainId(), "volume", volumeId);
|
||||
_accountMgr.checkAccess(UserContext.current().getCaller(), null, v);
|
||||
try {
|
||||
if (v != null && _volsDao.getHypervisorType(v.getId()).equals(HypervisorType.KVM)) {
|
||||
/* KVM needs to lock on the vm of volume, because it takes snapshot on behalf of vm, not volume */
|
||||
|
|
@ -666,34 +666,12 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
}
|
||||
}
|
||||
|
||||
private Long checkAccountPermissions(long targetAccountId, long targetDomainId, String targetDesc, long targetId) {
|
||||
Long accountId = null;
|
||||
|
||||
Account account = UserContext.current().getCaller();
|
||||
if (account != null) {
|
||||
|
||||
/*
|
||||
* if (!isAdmin(account.getType())) { if (account.getId() != targetAccountId) { throw new
|
||||
* InvalidParameterValueException("Unable to find a " + targetDesc + " with id " + targetId + " for this account");
|
||||
* } } else if (!_domainDao.isChildDomain(account.getDomainId(), targetDomainId)) { throw new
|
||||
* PermissionDeniedException("Unable to perform operation for " + targetDesc + " with id " + targetId +
|
||||
* ", permission denied."); } accountId = account.getId();
|
||||
*/
|
||||
_accountMgr.checkAccess(account, _domainDao.findById(targetDomainId));
|
||||
}
|
||||
|
||||
return accountId;
|
||||
}
|
||||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
@Override
|
||||
@DB
|
||||
@ActionEvent(eventType = EventTypes.EVENT_SNAPSHOT_DELETE, eventDescription = "deleting snapshot", async = true)
|
||||
public boolean deleteSnapshot(DeleteSnapshotCmd cmd) {
|
||||
Long snapshotId = cmd.getId();
|
||||
Account caller = UserContext.current().getCaller();
|
||||
|
||||
// Verify parameters
|
||||
Snapshot snapshotCheck = _snapshotDao.findByIdIncludingRemoved(snapshotId.longValue());
|
||||
|
|
@ -701,20 +679,9 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId);
|
||||
}
|
||||
|
||||
// If an account was passed in, make sure that it matches the account of the snapshot
|
||||
Account snapshotOwner = _accountDao.findById(snapshotCheck.getAccountId());
|
||||
if (snapshotOwner == null) {
|
||||
throw new InvalidParameterValueException("Snapshot id " + snapshotId + " does not have a valid account");
|
||||
}
|
||||
checkAccountPermissions(snapshotOwner.getId(), snapshotOwner.getDomainId(), "snapshot", snapshotId);
|
||||
_accountMgr.checkAccess(caller, null, snapshotCheck);
|
||||
|
||||
boolean status = deleteSnapshotInternal(snapshotId);
|
||||
if (!status) {
|
||||
s_logger.warn("Failed to delete snapshot");
|
||||
throw new CloudRuntimeException("Failed to delete snapshot:" + snapshotId);
|
||||
}
|
||||
|
||||
return status;
|
||||
return deleteSnapshotInternal(snapshotId);
|
||||
}
|
||||
|
||||
@DB
|
||||
|
|
@ -726,7 +693,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
SnapshotVO snapshot = _snapshotDao.findById(snapshotId);
|
||||
if (snapshot.getBackupSnapshotId() != null) {
|
||||
List<SnapshotVO> snaps = _snapshotDao.listByBackupUuid(snapshot.getVolumeId(), snapshot.getBackupSnapshotId());
|
||||
if (snaps != null && snaps.size() > 1) {
|
||||
if (!snaps.isEmpty()) {
|
||||
snapshot.setBackupSnapshotId(null);
|
||||
_snapshotDao.update(snapshot.getId(), snapshot);
|
||||
}
|
||||
|
|
@ -849,16 +816,15 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
if (volumeId != null) {
|
||||
VolumeVO volume = _volsDao.findById(volumeId);
|
||||
if (volume != null) {
|
||||
checkAccountPermissions(volume.getAccountId(), volume.getDomainId(), "volume", volumeId);
|
||||
_accountMgr.checkAccess(UserContext.current().getCaller(), null, volume);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Account account = UserContext.current().getCaller();
|
||||
Long domainId = cmd.getDomainId();
|
||||
String accountName = cmd.getAccountName();
|
||||
Long accountId = null;
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountMgr.isAdmin(account.getType())) {
|
||||
if (domainId != null) {
|
||||
if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) {
|
||||
throw new PermissionDeniedException("Unable to list templates for domain " + domainId + ", permission denied.");
|
||||
|
|
@ -1059,9 +1025,8 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
|
||||
AccountVO owner = _accountDao.findById(volume.getAccountId());
|
||||
DomainVO domain = _domainDao.findById(owner.getDomainId());
|
||||
|
||||
// If an account was passed in, make sure that it matches the account of the volume
|
||||
checkAccountPermissions(volume.getAccountId(), volume.getDomainId(), "volume", volumeId);
|
||||
|
||||
_accountMgr.checkAccess(UserContext.current().getCaller(), null, volume);
|
||||
|
||||
Long instanceId = volume.getInstanceId();
|
||||
if (instanceId != null) {
|
||||
|
|
@ -1143,7 +1108,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
if (volume == null) {
|
||||
throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId);
|
||||
}
|
||||
checkAccountPermissions(volume.getAccountId(), volume.getDomainId(), "volume", volumeId);
|
||||
_accountMgr.checkAccess(UserContext.current().getCaller(), null, volume);
|
||||
return listPoliciesforVolume(cmd.getVolumeId());
|
||||
}
|
||||
|
||||
|
|
@ -1207,7 +1172,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
|
||||
if (account != null) {
|
||||
long volAcctId = volume.getAccountId();
|
||||
if (isAdmin(account.getType())) {
|
||||
if (_accountMgr.isAdmin(account.getType())) {
|
||||
Account userAccount = _accountDao.findById(Long.valueOf(volAcctId));
|
||||
if (!_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) {
|
||||
throw new PermissionDeniedException("Unable to list snapshot schedule for volume " + volumeId + ", permission denied.");
|
||||
|
|
@ -1385,8 +1350,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume");
|
||||
}
|
||||
|
||||
// If an account was passed in, make sure that it matches the account of the volume
|
||||
checkAccountPermissions(volume.getAccountId(), volume.getDomainId(), "volume", volume.getId());
|
||||
_accountMgr.checkAccess(UserContext.current().getCaller(), null, volume);
|
||||
}
|
||||
|
||||
boolean success = true;
|
||||
|
|
|
|||
Loading…
Reference in New Issue