From 94ebc908776fee97fc996db15044a1fefbff7fdf Mon Sep 17 00:00:00 2001 From: Min Chen Date: Fri, 4 Apr 2014 15:33:55 -0700 Subject: [PATCH] Remove usage of sameOwner checkAccess invocation, and convert to OperateEntry IAM check. --- api/src/com/cloud/network/NetworkModel.java | 4 + api/src/com/cloud/user/AccountService.java | 5 + .../address/AssociateIPAddrCmdByAdmin.java | 5 +- .../admin/vm/AddNicToVMCmdByAdmin.java | 4 +- .../user/address/AssociateIPAddrCmd.java | 1 + .../firewall/CreatePortForwardingRuleCmd.java | 4 +- .../AssignToLoadBalancerRuleCmd.java | 16 ++- .../ListLBStickinessPoliciesCmd.java | 4 +- .../command/user/nat/EnableStaticNatCmd.java | 8 +- .../user/snapshot/CreateSnapshotCmd.java | 2 + .../api/command/user/vm/AddNicToVMCmd.java | 1 + .../user/vmsnapshot/CreateVMSnapshotCmd.java | 3 +- .../command/user/volume/CreateVolumeCmd.java | 3 + .../lb/InternalLoadBalancerVMManagerImpl.java | 9 +- .../management/MockAccountManager.java | 12 ++ .../src/com/cloud/api/ApiResponseHelper.java | 2 +- .../api/dispatch/ParamProcessWorker.java | 4 +- .../com/cloud/api/query/QueryManagerImpl.java | 17 +-- .../ConfigurationManagerImpl.java | 4 +- .../cloud/network/IpAddressManagerImpl.java | 17 ++- .../com/cloud/network/NetworkModelImpl.java | 25 ++++ .../com/cloud/network/NetworkServiceImpl.java | 26 ++--- .../network/as/AutoScaleManagerImpl.java | 10 +- .../network/firewall/FirewallManagerImpl.java | 19 +-- .../lb/LoadBalancingRulesManagerImpl.java | 36 +++--- .../VirtualNetworkApplianceManagerImpl.java | 23 ++-- .../cloud/network/rules/RulesManagerImpl.java | 30 ++--- .../security/SecurityGroupManagerImpl.java | 8 +- .../network/vpc/NetworkACLServiceImpl.java | 22 ++-- .../com/cloud/network/vpc/VpcManagerImpl.java | 24 ++-- .../vpn/RemoteAccessVpnManagerImpl.java | 18 +-- .../network/vpn/Site2SiteVpnManagerImpl.java | 29 ++--- .../cloud/projects/ProjectManagerImpl.java | 18 +-- .../ResourceLimitManagerImpl.java | 8 +- .../cloud/server/ManagementServerImpl.java | 12 +- .../cloud/servlet/ConsoleProxyServlet.java | 2 +- .../cloud/storage/VolumeApiServiceImpl.java | 29 ++--- .../storage/snapshot/SnapshotManagerImpl.java | 15 +-- .../cloud/tags/TaggedResourceManagerImpl.java | 7 +- .../cloud/template/TemplateAdapterBase.java | 4 +- .../cloud/template/TemplateManagerImpl.java | 34 +++--- .../com/cloud/user/AccountManagerImpl.java | 34 ++++-- .../src/com/cloud/vm/UserVmManagerImpl.java | 109 ++++++------------ .../vm/snapshot/VMSnapshotManagerImpl.java | 10 +- .../affinity/AffinityGroupServiceImpl.java | 13 +-- .../ApplicationLoadBalancerManagerImpl.java | 9 +- .../network/lb/CertServiceImpl.java | 8 +- .../GlobalLoadBalancingRulesServiceImpl.java | 14 +-- .../cloud/event/EventControlsUnitTest.java | 2 +- .../cloud/network/MockNetworkModelImpl.java | 9 ++ .../cloud/user/MockAccountManagerImpl.java | 11 ++ .../test/com/cloud/vm/UserVmManagerTest.java | 8 +- .../vm/snapshot/VMSnapshotManagerTest.java | 2 +- .../com/cloud/vpc/MockNetworkModelImpl.java | 9 ++ 54 files changed, 416 insertions(+), 346 deletions(-) diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java index 1c40e87736b..f48bc9a7e5a 100644 --- a/api/src/com/cloud/network/NetworkModel.java +++ b/api/src/com/cloud/network/NetworkModel.java @@ -22,6 +22,8 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -273,4 +275,6 @@ public interface NetworkModel { boolean isNetworkReadyForGc(long networkId); boolean getNetworkEgressDefaultPolicy(Long networkId); + + void checkNetworkPermissions(Account owner, Network network, AccessType accessType); } \ No newline at end of file diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 7e37b386b96..49652700ff5 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java @@ -106,6 +106,11 @@ public interface AccountService { void checkAccess(Account account, Domain domain) throws PermissionDeniedException; + void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException; + + void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException; + + // TODO: the following two interfaces will be deprecated by the above two counterparts when securityChecker implementation is in place void checkAccess(Account account, AccessType accessType, boolean sameOwner, ControlledEntity... entities) throws PermissionDeniedException; void checkAccess(Account account, AccessType accessType, boolean sameOwner, String apiName, diff --git a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java index dbff93f222a..494a6d66e40 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/address/AssociateIPAddrCmdByAdmin.java @@ -31,8 +31,11 @@ import com.cloud.exception.InsufficientCapacityException; import com.cloud.exception.ResourceAllocationException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; +import com.cloud.network.vpc.Vpc; -@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full) +@APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Full, + entityType = {IpAddress.class, Vpc.class}, + requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AssociateIPAddrCmdByAdmin extends AssociateIPAddrCmd { public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmdByAdmin.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java index 996d1bd49e5..ee6d0e78e09 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java @@ -32,8 +32,8 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.uservm.UserVm; -@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full) - +@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, + requestHasSensitiveInfo = false, responseHasSensitiveInfo = true) public class AddNicToVMCmdByAdmin extends AddNicToVMCmd { public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class); diff --git a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java index 3f0d2467bf3..091229f6817 100644 --- a/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/address/AssociateIPAddrCmd.java @@ -58,6 +58,7 @@ import com.cloud.projects.Project; import com.cloud.user.Account; @APICommand(name = "associateIpAddress", description = "Acquires and associates a public IP to an account.", responseObject = IPAddressResponse.class, responseView = ResponseView.Restricted, + entityType = {IpAddress.class, Vpc.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AssociateIPAddrCmd extends BaseAsyncCreateCmd { public static final Logger s_logger = Logger.getLogger(AssociateIPAddrCmd.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java index 8d9aa6fee98..f18767e1da6 100644 --- a/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/firewall/CreatePortForwardingRuleCmd.java @@ -45,8 +45,10 @@ import com.cloud.network.rules.PortForwardingRule; import com.cloud.user.Account; import com.cloud.utils.net.Ip; import com.cloud.utils.net.NetUtils; +import com.cloud.vm.VirtualMachine; -@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {PortForwardingRule.class}, +@APICommand(name = "createPortForwardingRule", description = "Creates a port forwarding rule", responseObject = FirewallRuleResponse.class, entityType = {FirewallRule.class, + VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class CreatePortForwardingRuleCmd extends BaseAsyncCreateCmd implements PortForwardingRule { public static final Logger s_logger = Logger.getLogger(CreatePortForwardingRuleCmd.class.getName()); diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java index 6a69792be3b..eb26ce652a6 100644 --- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/AssignToLoadBalancerRuleCmd.java @@ -16,15 +16,17 @@ // under the License. package org.apache.cloudstack.api.command.user.loadbalancer; +import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; +import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Collection; -import java.util.Iterator; -import java.util.ArrayList; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -38,13 +40,15 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; +import com.cloud.network.rules.FirewallRule; import com.cloud.network.rules.LoadBalancer; import com.cloud.user.Account; import com.cloud.utils.StringUtils; +import com.cloud.vm.VirtualMachine; @APICommand(name = "assignToLoadBalancerRule", description = "Assigns virtual machine or a list of virtual machines to a load balancer rule.", - responseObject = SuccessResponse.class, + responseObject = SuccessResponse.class, entityType = {FirewallRule.class, VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { @@ -56,6 +60,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType = FirewallRuleResponse.class, @@ -63,6 +68,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { description = "the ID of the load balancer rule") private Long id; + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_IDS, type = CommandType.LIST, collectionType = CommandType.UUID, @@ -157,7 +163,7 @@ public class AssignToLoadBalancerRuleCmd extends BaseAsyncCmd { boolean result = _lbService.assignToLoadBalancer(getLoadBalancerId(), virtualMachineIds, vmIdIpsMap); if (result) { SuccessResponse response = new SuccessResponse(getCommandName()); - this.setResponseObject(response); + setResponseObject(response); } else { throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to assign load balancer rule"); } diff --git a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java index 2e7ae3c5e19..1ceb214b306 100644 --- a/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/loadbalancer/ListLBStickinessPoliciesCmd.java @@ -76,7 +76,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd { if (lb != null) { //check permissions Account caller = CallContext.current().getCallingAccount(); - _accountService.checkAccess(caller, null, true, lb); + _accountService.checkAccess(caller, null, lb); List stickinessPolicies = _lbService.searchForLBStickinessPolicies(this); LBStickinessResponse spResponse = _responseGenerator.createLBStickinessPolicyResponse(stickinessPolicies, lb); spResponses.add(spResponse); @@ -84,7 +84,7 @@ public class ListLBStickinessPoliciesCmd extends BaseListCmd { } response.setResponseName(getCommandName()); - this.setResponseObject(response); + setResponseObject(response); } } diff --git a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java index aa4e28768a6..94699ac6ffa 100644 --- a/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/nat/EnableStaticNatCmd.java @@ -18,6 +18,8 @@ package org.apache.cloudstack.api.command.user.nat; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -35,8 +37,10 @@ import com.cloud.exception.ResourceUnavailableException; import com.cloud.network.IpAddress; import com.cloud.user.Account; import com.cloud.uservm.UserVm; +import com.cloud.vm.VirtualMachine; @APICommand(name = "enableStaticNat", description = "Enables static nat for given ip address", responseObject = SuccessResponse.class, + entityType = {IpAddress.class, VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class EnableStaticNatCmd extends BaseCmd { public static final Logger s_logger = Logger.getLogger(CreateIpForwardingRuleCmd.class.getName()); @@ -47,10 +51,12 @@ public class EnableStaticNatCmd extends BaseCmd { //////////////// API parameters ///////////////////// ///////////////////////////////////////////////////// + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.IP_ADDRESS_ID, type = CommandType.UUID, entityType = IPAddressResponse.class, required = true, description = "the public IP " + "address id for which static nat feature is being enabled") private Long ipAddressId; + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, required = true, description = "the ID of " + "the virtual machine for enabling static nat feature") private Long virtualMachineId; @@ -133,7 +139,7 @@ public class EnableStaticNatCmd extends BaseCmd { boolean result = _rulesService.enableStaticNat(ipAddressId, virtualMachineId, getNetworkId(), getVmSecondaryIp()); if (result) { SuccessResponse response = new SuccessResponse(getCommandName()); - this.setResponseObject(response); + setResponseObject(response); } else { throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to enable static nat"); } diff --git a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java index df7fe8296bc..bd8662e1460 100644 --- a/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/snapshot/CreateSnapshotCmd.java @@ -18,6 +18,7 @@ package org.apache.cloudstack.api.command.user.snapshot; import org.apache.log4j.Logger; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -62,6 +63,7 @@ public class CreateSnapshotCmd extends BaseAsyncCreateCmd { description = "The domain ID of the snapshot. If used with the account parameter, specifies a domain for the account associated with the disk volume.") private Long domainId; + @ACL @Parameter(name = ApiConstants.VOLUME_ID, type = CommandType.UUID, entityType = VolumeResponse.class, required = true, description = "The ID of the disk volume") private Long volumeId; diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java index f265ecf236a..fd30152ae08 100644 --- a/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vm/AddNicToVMCmd.java @@ -54,6 +54,7 @@ public class AddNicToVMCmd extends BaseAsyncCmd { required=true, description="Virtual Machine ID") private Long vmId; + @ACL @Parameter(name = ApiConstants.NETWORK_ID, type = CommandType.UUID, entityType = NetworkResponse.class, required = true, description = "Network ID") private Long netId; diff --git a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java index 10ff5cddb12..1310ba5b759 100644 --- a/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vmsnapshot/CreateVMSnapshotCmd.java @@ -19,7 +19,6 @@ package org.apache.cloudstack.api.command.user.vmsnapshot; import java.util.logging.Logger; -import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; @@ -43,7 +42,7 @@ public class CreateVMSnapshotCmd extends BaseAsyncCreateCmd { public static final Logger s_logger = Logger.getLogger(CreateVMSnapshotCmd.class.getName()); private static final String s_name = "createvmsnapshotresponse"; - @ACL(accessType = AccessType.OperateEntry) + @ACL @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, required = true, entityType = UserVmResponse.class, description = "The ID of the vm") private Long vmId; diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java index 75c34a21c53..2a651599b56 100644 --- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java @@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -89,6 +90,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { @Parameter(name = ApiConstants.MAX_IOPS, type = CommandType.LONG, description = "max iops") private Long maxIops; + @ACL @Parameter(name = ApiConstants.SNAPSHOT_ID, type = CommandType.UUID, entityType = SnapshotResponse.class, @@ -101,6 +103,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { @Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin}) private Boolean displayVolume; + @ACL @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, diff --git a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java index aa763d582bc..89707c9dd23 100644 --- a/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java +++ b/plugins/network-elements/internal-loadbalancer/src/org/apache/cloudstack/network/lb/InternalLoadBalancerVMManagerImpl.java @@ -27,11 +27,12 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; + import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; -import org.apache.log4j.Logger; import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; @@ -519,7 +520,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In return true; } - _accountMgr.checkAccess(caller, null, true, internalLbVm); + _accountMgr.checkAccess(caller, null, internalLbVm); _itMgr.expunge(internalLbVm.getUuid()); _internalLbVmDao.remove(internalLbVm.getId()); @@ -534,7 +535,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In } //check permissions - _accountMgr.checkAccess(caller, null, true, internalLbVm); + _accountMgr.checkAccess(caller, null, internalLbVm); return stopInternalLbVm(internalLbVm, forced, caller, callerUserId); } @@ -912,7 +913,7 @@ public class InternalLoadBalancerVMManagerImpl extends ManagerBase implements In } //check permissions - _accountMgr.checkAccess(caller, null, true, internalLbVm); + _accountMgr.checkAccess(caller, null, internalLbVm); return startInternalLbVm(internalLbVm, caller, callerUserId, null); } diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index 957f708b6ca..8fa6fed584a 100644 --- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -381,4 +381,16 @@ public class MockAccountManager extends ManagerBase implements AccountManager { return null; } + @Override + public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException { + // TODO Auto-generated method stub + + } + + @Override + public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException { + // TODO Auto-generated method stub + + } + } diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 38f2f0b21ed..ba1e91f72f3 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -1543,7 +1543,7 @@ public class ApiResponseHelper implements ResponseGenerator { throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId()); } } else if (_accountMgr.isDomainAdmin(caller.getId())) { - _accountMgr.checkAccess(caller, null, true, jobOwner); + _accountMgr.checkAccess(caller, null, jobOwner); } return createAsyncJobResponse(_jobMgr.queryJob(cmd.getId(), true)); diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java index 21932f7bdc8..c86689fae0e 100644 --- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java +++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java @@ -43,11 +43,11 @@ import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; import org.apache.cloudstack.api.BaseCmd; +import org.apache.cloudstack.api.BaseCmd.CommandType; import org.apache.cloudstack.api.EntityReference; import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.ServerApiException; -import org.apache.cloudstack.api.BaseCmd.CommandType; import org.apache.cloudstack.api.command.admin.resource.ArchiveAlertsCmd; import org.apache.cloudstack.api.command.admin.resource.DeleteAlertsCmd; import org.apache.cloudstack.api.command.user.event.ArchiveEventsCmd; @@ -244,7 +244,7 @@ public class ParamProcessWorker implements DispatchWorker { if (AccessType.OperateEntry == entitiesToAccess.get(entity)) { entitiesToOperate.add((ControlledEntity) entity); } else { - _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), false, apiName, + _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), apiName, (ControlledEntity) entity); } } else if (entity instanceof InfrastructureEntity) { diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 3abb9446512..f31b1f899a7 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -26,6 +26,9 @@ import java.util.Set; import javax.ejb.Local; import javax.inject.Inject; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.affinity.AffinityGroupDomainMapVO; import org.apache.cloudstack.affinity.AffinityGroupResponse; @@ -95,8 +98,6 @@ import org.apache.cloudstack.engine.subsystem.api.storage.DataStoreManager; import org.apache.cloudstack.engine.subsystem.api.storage.TemplateState; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.query.QueryService; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.api.query.dao.AccountJoinDao; import com.cloud.api.query.dao.AffinityGroupJoinDao; @@ -1005,7 +1006,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { if (userVM == null) { throw new InvalidParameterValueException("Unable to list network groups for virtual machine instance " + instanceId + "; instance not found."); } - _accountMgr.checkAccess(caller, null, true, userVM); + _accountMgr.checkAccess(caller, null, userVM); return listSecurityGroupRulesByVM(instanceId.longValue(), cmd.getStartIndex(), cmd.getPageSizeVal()); } @@ -1847,7 +1848,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { throw new InvalidParameterValueException("Unable to find account by id " + accountId); } - _accountMgr.checkAccess(caller, null, true, account); + _accountMgr.checkAccess(caller, null, account); } if (domainId != null) { @@ -1863,7 +1864,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { if (account == null || account.getId() == Account.ACCOUNT_ID_SYSTEM) { throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain " + domainId); } - _accountMgr.checkAccess(caller, null, true, account); + _accountMgr.checkAccess(caller, null, account); } } @@ -2488,7 +2489,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { throw ex; } - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); ServiceOfferingVO offering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId()); sc.addAnd("id", SearchCriteria.Op.NEQ, offering.getId()); @@ -2913,7 +2914,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // if template is not public, perform permission check here if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(template.getAccountId()); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); } // if templateId is specified, then we will just use the id to @@ -3181,7 +3182,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { if (userVM == null) { throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found."); } - _accountMgr.checkAccess(caller, null, true, userVM); + _accountMgr.checkAccess(caller, null, userVM); return listAffinityGroupsByVM(vmId.longValue(), startIndex, pageSize); } diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index bdceed79f4a..75f4d8a2324 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -16,7 +16,6 @@ // under the License. package com.cloud.configuration; -import com.cloud.network.element.NetworkElement; import java.net.URI; import java.sql.PreparedStatement; import java.sql.ResultSet; @@ -154,6 +153,7 @@ import com.cloud.network.dao.PhysicalNetworkDao; import com.cloud.network.dao.PhysicalNetworkTrafficTypeDao; import com.cloud.network.dao.PhysicalNetworkTrafficTypeVO; import com.cloud.network.dao.PhysicalNetworkVO; +import com.cloud.network.element.NetworkElement; import com.cloud.network.rules.LoadBalancerContainer.Scheme; import com.cloud.network.vpc.VpcManager; import com.cloud.offering.DiskOffering; @@ -4337,7 +4337,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati throw new InvalidParameterValueException("Can't update system networks"); } - _accountMgr.checkAccess(caller, null, true, network); + _accountMgr.checkAccess(caller, null, network); List offeringIds = _networkModel.listNetworkOfferingsForUpgrade(networkId); diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java index 9b1f9bd7ed3..746221fca10 100644 --- a/server/src/com/cloud/network/IpAddressManagerImpl.java +++ b/server/src/com/cloud/network/IpAddressManagerImpl.java @@ -29,6 +29,8 @@ import java.util.UUID; import javax.inject.Inject; +import org.apache.log4j.Logger; + import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.context.CallContext; @@ -40,7 +42,6 @@ import org.apache.cloudstack.region.PortableIp; import org.apache.cloudstack.region.PortableIpDao; import org.apache.cloudstack.region.PortableIpVO; import org.apache.cloudstack.region.Region; -import org.apache.log4j.Logger; import com.cloud.agent.AgentManager; import com.cloud.alert.AlertManager; @@ -409,7 +410,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage Account caller = CallContext.current().getCallingAccount(); long callerUserId = CallContext.current().getCallingUserId(); // check permissions - _accountMgr.checkAccess(caller, null, false, ipOwner); + _accountMgr.checkAccess(caller, null, ipOwner); DataCenter zone = _entityMgr.findById(DataCenter.class, zoneId); @@ -1164,15 +1165,14 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage if (zone.getNetworkType() == NetworkType.Advanced) { if (network.getGuestType() == Network.GuestType.Shared) { if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) { - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false, - network); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network); } else { throw new InvalidParameterValueException("IP can be associated with guest network of 'shared' type only if " + "network services Source Nat, Static Nat, Port Forwarding, Load balancing, firewall are enabled in the network"); } } } else { - _accountMgr.checkAccess(caller, null, true, ipToAssoc); + _accountMgr.checkAccess(caller, null, ipToAssoc); } owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId()); } else { @@ -1187,7 +1187,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage Network network = _networksDao.findById(networkId); if (network != null) { - _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network); + _accountMgr.checkAccess(owner, AccessType.UseEntry, network); } else { s_logger.debug("Unable to find ip address by id: " + ipId); return null; @@ -1319,11 +1319,10 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage if (zone.getNetworkType() == NetworkType.Advanced) { if (network.getGuestType() == Network.GuestType.Shared) { assert (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())); - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, false, - network); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.UseEntry, network); } } else { - _accountMgr.checkAccess(caller, null, true, ipToAssoc); + _accountMgr.checkAccess(caller, null, ipToAssoc); } owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId()); } else { diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java index cdacf7873ef..918ebf808d5 100755 --- a/server/src/com/cloud/network/NetworkModelImpl.java +++ b/server/src/com/cloud/network/NetworkModelImpl.java @@ -35,6 +35,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity.ACLType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; @@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao; import com.cloud.projects.dao.ProjectAccountDao; import com.cloud.server.ConfigurationServer; import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.user.AccountVO; import com.cloud.user.DomainManager; import com.cloud.user.dao.AccountDao; @@ -137,6 +139,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { @Inject DomainDao _domainDao = null; @Inject + AccountManager _accountMgr; + @Inject ConfigurationDao _configDao; @Inject @@ -1566,6 +1570,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { } } + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + if (network == null) { + throw new CloudRuntimeException("cannot check permissions on (Network) "); + } + + AccountVO networkOwner = _accountDao.findById(network.getAccountId()); + if (networkOwner == null) { + throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() + + ", network does not have an owner"); + } + if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) { + if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) { + throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() + + ", permission denied"); + } + } else { + _accountMgr.checkAccess(owner, accessType, network); + } + } + @Override public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) { try { diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java index f23991cd0c4..c0791ae7d15 100755 --- a/server/src/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/com/cloud/network/NetworkServiceImpl.java @@ -40,7 +40,6 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; -import com.cloud.network.lb.LoadBalancingRulesService; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity.ACLType; @@ -123,6 +122,7 @@ import com.cloud.network.element.OvsProviderVO; import com.cloud.network.element.VirtualRouterElement; import com.cloud.network.element.VpcVirtualRouterElement; import com.cloud.network.guru.NetworkGuru; +import com.cloud.network.lb.LoadBalancingRulesService; import com.cloud.network.rules.FirewallRule.Purpose; import com.cloud.network.rules.FirewallRuleVO; import com.cloud.network.rules.RulesManager; @@ -542,7 +542,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork' if (zone.getNetworkType() == NetworkType.Advanced) { if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) { - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, network); if (s_logger.isDebugEnabled()) { s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId()); } @@ -554,7 +554,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } } } else { - _accountMgr.checkAccess(caller, null, false, ipOwner); + _accountMgr.checkAccess(caller, null, ipOwner); } return _ipAddrMgr.allocateIp(ipOwner, false, caller, callerUserId, zone, displayIp); @@ -585,7 +585,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { // if shared network in the advanced zone, then check the caller against the network for 'AccessType.UseNetwork' if (zone.getNetworkType() == NetworkType.Advanced) { if (isSharedNetworkOfferingWithServices(network.getNetworkOfferingId())) { - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, network); if (s_logger.isDebugEnabled()) { s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId()); } @@ -605,7 +605,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } } - _accountMgr.checkAccess(caller, null, false, ipOwner); + _accountMgr.checkAccess(caller, null, ipOwner); return _ipAddrMgr.allocatePortableIp(ipOwner, caller, zoneId, null, null); } @@ -671,7 +671,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { final Account ipOwner = _accountMgr.getAccount(vm.getAccountId()); // verify permissions - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); Network network = _networksDao.findById(networkId); if (network == null) { @@ -767,7 +767,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { throw new InvalidParameterValueException("There is no vm with the given secondary ip"); } // verify permissions - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); Network network = _networksDao.findById(secIpVO.getNetworkId()); @@ -891,7 +891,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { // verify permissions if (ipVO.getAllocatedToAccountId() != null) { - _accountMgr.checkAccess(caller, null, true, ipVO); + _accountMgr.checkAccess(caller, null, ipVO); } if (ipVO.isSourceNat()) { @@ -1620,7 +1620,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { Account owner = _accountMgr.getAccount(network.getAccountId()); // Perform permission check - _accountMgr.checkAccess(caller, null, true, network); + _accountMgr.checkAccess(caller, null, network); if (forced && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins"); @@ -1664,7 +1664,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { throw new InvalidParameterException("Unable to restart a running SDN network."); } - _accountMgr.checkAccess(callerAccount, null, true, network); + _accountMgr.checkAccess(callerAccount, null, network); boolean success = _networkMgr.restartNetwork(networkId, callerAccount, callerUser, cleanup); @@ -1800,7 +1800,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { throw new InvalidParameterValueException("Can't allow networks which traffic type is not " + TrafficType.Guest); } - _accountMgr.checkAccess(callerAccount, null, true, network); + _accountMgr.checkAccess(callerAccount, null, network); if (name != null) { network.setName(name); @@ -3845,7 +3845,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { throw ex; } - _accountMgr.checkAccess(caller, null, true, userVm); + _accountMgr.checkAccess(caller, null, userVm); return _networkMgr.listVmNics(vmId, nicId, networkId); } @@ -3869,7 +3869,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { // verify permissions if (ipVO.getAllocatedToAccountId() != null) { - _accountMgr.checkAccess(caller, null, true, ipVO); + _accountMgr.checkAccess(caller, null, ipVO); } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { throw new PermissionDeniedException("Only Root admin can update non-allocated ip addresses"); } diff --git a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java index c75dbba1d6a..09c66947016 100644 --- a/server/src/com/cloud/network/as/AutoScaleManagerImpl.java +++ b/server/src/com/cloud/network/as/AutoScaleManagerImpl.java @@ -240,7 +240,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale throw new InvalidParameterValueException("Unable to find " + paramName); } - _accountMgr.checkAccess(caller, null, false, (ControlledEntity)vo); + _accountMgr.checkAccess(caller, null, (ControlledEntity)vo); return vo; } @@ -342,7 +342,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale Account owner = _accountDao.findById(cmd.getAccountId()); Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); long zoneId = cmd.getZoneId(); long serviceOfferingId = cmd.getServiceOfferingId(); @@ -527,7 +527,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale ControlledEntity[] sameOwnerEntities = conditions.toArray(new ControlledEntity[conditions.size() + 1]); sameOwnerEntities[sameOwnerEntities.length - 1] = autoScalePolicyVO; - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities); if (conditionIds.size() != conditions.size()) { // TODO report the condition id which could not be found @@ -621,7 +621,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale idList.add(ApiDBUtils.findDomainById(domainId).getUuid()); throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain with specifed domainId"); } - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); } private class SearchWrapper { @@ -980,7 +980,7 @@ public class AutoScaleManagerImpl extends ManagerBase implements AutoScale ControlledEntity[] sameOwnerEntities = policies.toArray(new ControlledEntity[policies.size() + 2]); sameOwnerEntities[sameOwnerEntities.length - 2] = loadBalancer; sameOwnerEntities[sameOwnerEntities.length - 1] = profileVO; - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, sameOwnerEntities); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEntities); return Transaction.execute(new TransactionCallback() { @Override diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java index c312d3d1ba8..730606816b7 100644 --- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java @@ -27,12 +27,13 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.api.command.user.firewall.ListFirewallRulesCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.configuration.Config; import com.cloud.domain.dao.DomainDao; @@ -271,7 +272,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, if (ipAddressVO == null || !ipAddressVO.readyToUse()) { throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for firewall rules yet"); } - _accountMgr.checkAccess(caller, null, true, ipAddressVO); + _accountMgr.checkAccess(caller, null, ipAddressVO); } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); @@ -463,7 +464,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } // Validate ip address - _accountMgr.checkAccess(caller, null, true, ipAddress); + _accountMgr.checkAccess(caller, null, ipAddress); } //network id either has to be passed explicitly, or implicitly as a part of ipAddress object @@ -475,7 +476,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, assert network != null : "Can't create rule as network associated with public ip address is null?"; if (trafficType == FirewallRule.TrafficType.Egress) { - _accountMgr.checkAccess(caller, null, true, network); + _accountMgr.checkAccess(caller, null, network); } // Verify that the network guru supports the protocol specified @@ -638,7 +639,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRuleVO[rules.size()])); + _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRuleVO[rules.size()])); } try { @@ -692,7 +693,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule"); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); revokeRule(rule, caller, userId, false); @@ -742,7 +743,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, throw new InvalidParameterValueException("Only root admin can update the system wide firewall rule"); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); if (customId != null) { rule.setUuid(customId); @@ -761,7 +762,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, @DB public void revokeRule(final FirewallRuleVO rule, Account caller, long userId, final boolean needUsageEvent) { if (caller != null) { - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); } Transaction.execute(new TransactionCallbackNoReturn() { diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java index e67fdba08ea..51c36b6e530 100755 --- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java +++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java @@ -30,7 +30,11 @@ import java.util.Set; import javax.ejb.Local; import javax.inject.Inject; -import com.cloud.vm.dao.NicSecondaryIpDao; +import org.apache.log4j.Logger; + +import com.google.gson.Gson; +import com.google.gson.reflect.TypeToken; + import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBHealthCheckPolicyCmd; import org.apache.cloudstack.api.command.user.loadbalancer.CreateLBStickinessPolicyCmd; @@ -46,7 +50,6 @@ import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationSe import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; -import org.apache.log4j.Logger; import com.cloud.agent.api.to.LoadBalancerTO; import com.cloud.configuration.ConfigurationManager; @@ -164,9 +167,8 @@ import com.cloud.vm.Nic; import com.cloud.vm.UserVmVO; import com.cloud.vm.VirtualMachine.State; import com.cloud.vm.dao.NicDao; +import com.cloud.vm.dao.NicSecondaryIpDao; import com.cloud.vm.dao.UserVmDao; -import com.google.gson.Gson; -import com.google.gson.reflect.TypeToken; @Local(value = {LoadBalancingRulesManager.class, LoadBalancingRulesService.class}) public class LoadBalancingRulesManagerImpl extends ManagerBase implements LoadBalancingRulesManager, LoadBalancingRulesService { @@ -527,7 +529,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present "); } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); if (loadBalancer.getState() == FirewallRule.State.Revoke) { throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: "); } @@ -582,7 +584,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " not present "); } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); if (loadBalancer.getState() == FirewallRule.State.Revoke) { throw new InvalidParameterValueException("Failed: LB rule id: " + cmd.getLbRuleId() + " is in deleting state: "); @@ -739,7 +741,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements } long loadBalancerId = loadBalancer.getId(); FirewallRule.State backupState = loadBalancer.getState(); - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); if (apply) { if (loadBalancer.getState() == FirewallRule.State.Active) { @@ -792,7 +794,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements } final long loadBalancerId = loadBalancer.getId(); FirewallRule.State backupState = loadBalancer.getState(); - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); if (apply) { if (loadBalancer.getState() == FirewallRule.State.Active) { @@ -1165,7 +1167,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw new InvalidParameterException("Invalid certificate id: " + certId); } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); // check if LB and Cert belong to the same account if (loadBalancer.getAccountId() != certVO.getAccountId()) { @@ -1228,7 +1230,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw new InvalidParameterException("No certificate is bound to lb with id: " + lbRuleId); } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); boolean success = false; FirewallRule.State backupState = loadBalancer.getState(); @@ -1272,7 +1274,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw new InvalidParameterException("Invalid load balancer value: " + loadBalancerId); } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, loadBalancer); + _accountMgr.checkAccess(caller.getCallingAccount(), null, loadBalancer); if (instanceIds == null && vmIdIpMap.isEmpty()) { throw new InvalidParameterValueException("Both instanceids and vmidipmap can't be null"); @@ -1434,7 +1436,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements if (rule == null) { throw new InvalidParameterValueException("Unable to find load balancer rule " + loadBalancerId); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); boolean result = deleteLoadBalancerRule(loadBalancerId, apply, caller, ctx.getCallingUserId(), true); if (!result) { @@ -1658,7 +1660,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements throw ex; } - _accountMgr.checkAccess(caller.getCallingAccount(), null, true, ipAddr); + _accountMgr.checkAccess(caller.getCallingAccount(), null, ipAddr); final Long networkId = ipAddr.getAssociatedWithNetworkId(); if (networkId == null) { @@ -2032,7 +2034,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements } // check permissions - _accountMgr.checkAccess(caller, null, true, lb); + _accountMgr.checkAccess(caller, null, lb); if (name != null) { lb.setName(name); @@ -2111,7 +2113,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements return null; } - _accountMgr.checkAccess(caller, null, true, loadBalancer); + _accountMgr.checkAccess(caller, null, loadBalancer); List loadBalancerInstances = new ArrayList(); List serviceStates = new ArrayList(); @@ -2188,7 +2190,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements return null; } - _accountMgr.checkAccess(caller, null, true, loadBalancer); + _accountMgr.checkAccess(caller, null, loadBalancer); List sDbpolicies = _lb2stickinesspoliciesDao.listByLoadBalancerId(cmd.getLbRuleId()); @@ -2203,7 +2205,7 @@ public class LoadBalancingRulesManagerImpl extends ManagerBase implements if (loadBalancer == null) { return null; } - _accountMgr.checkAccess(caller, null, true, loadBalancer); + _accountMgr.checkAccess(caller, null, loadBalancer); List hcDbpolicies = _lb2healthcheckDao.listByLoadBalancerId(cmd.getLbRuleId()); return hcDbpolicies; } diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java index c692491a34b..0899f4288c6 100755 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -41,10 +41,14 @@ import java.util.concurrent.TimeUnit; import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; + import org.apache.log4j.Logger; + +import org.apache.cloudstack.alert.AlertService.AlertType; import org.apache.cloudstack.api.command.admin.router.RebootRouterCmd; import org.apache.cloudstack.api.command.admin.router.UpgradeRouterCmd; import org.apache.cloudstack.api.command.admin.router.UpgradeRouterTemplateCmd; +import org.apache.cloudstack.config.ApiServiceConfiguration; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; import org.apache.cloudstack.framework.config.ConfigDepot; @@ -55,7 +59,7 @@ import org.apache.cloudstack.framework.jobs.AsyncJobManager; import org.apache.cloudstack.framework.jobs.impl.AsyncJobVO; import org.apache.cloudstack.managed.context.ManagedContextRunnable; import org.apache.cloudstack.utils.identity.ManagementServerNode; -import org.apache.cloudstack.alert.AlertService.AlertType; + import com.cloud.agent.AgentManager; import com.cloud.agent.Listener; import com.cloud.agent.api.AgentControlAnswer; @@ -69,13 +73,12 @@ import com.cloud.agent.api.CheckS2SVpnConnectionsCommand; import com.cloud.agent.api.Command; import com.cloud.agent.api.GetDomRVersionAnswer; import com.cloud.agent.api.GetDomRVersionCmd; +import com.cloud.agent.api.GetRouterAlertsAnswer; import com.cloud.agent.api.ModifySshKeysCommand; import com.cloud.agent.api.NetworkUsageAnswer; import com.cloud.agent.api.NetworkUsageCommand; import com.cloud.agent.api.PvlanSetupCommand; import com.cloud.agent.api.StartupCommand; -import com.cloud.agent.api.routing.GetRouterAlertsCommand; -import com.cloud.agent.api.GetRouterAlertsAnswer; import com.cloud.agent.api.check.CheckSshAnswer; import com.cloud.agent.api.check.CheckSshCommand; import com.cloud.agent.api.routing.AggregationControlCommand; @@ -84,6 +87,7 @@ import com.cloud.agent.api.routing.CreateIpAliasCommand; import com.cloud.agent.api.routing.DeleteIpAliasCommand; import com.cloud.agent.api.routing.DhcpEntryCommand; import com.cloud.agent.api.routing.DnsMasqConfigCommand; +import com.cloud.agent.api.routing.GetRouterAlertsCommand; import com.cloud.agent.api.routing.IpAliasTO; import com.cloud.agent.api.routing.IpAssocCommand; import com.cloud.agent.api.routing.LoadBalancerConfigCommand; @@ -183,6 +187,7 @@ import com.cloud.network.dao.MonitoringServiceVO; import com.cloud.network.dao.NetworkDao; import com.cloud.network.dao.NetworkVO; import com.cloud.network.dao.OpRouterMonitorServiceDao; +import com.cloud.network.dao.OpRouterMonitorServiceVO; import com.cloud.network.dao.PhysicalNetworkServiceProviderDao; import com.cloud.network.dao.RemoteAccessVpnDao; import com.cloud.network.dao.Site2SiteCustomerGatewayDao; @@ -192,7 +197,6 @@ import com.cloud.network.dao.Site2SiteVpnGatewayDao; import com.cloud.network.dao.UserIpv6AddressDao; import com.cloud.network.dao.VirtualRouterProviderDao; import com.cloud.network.dao.VpnUserDao; -import com.cloud.network.dao.OpRouterMonitorServiceVO; import com.cloud.network.lb.LoadBalancingRule; import com.cloud.network.lb.LoadBalancingRule.LbDestination; import com.cloud.network.lb.LoadBalancingRule.LbHealthCheckPolicy; @@ -281,7 +285,6 @@ import com.cloud.vm.dao.NicIpAliasVO; import com.cloud.vm.dao.UserVmDao; import com.cloud.vm.dao.UserVmDetailsDao; import com.cloud.vm.dao.VMInstanceDao; -import org.apache.cloudstack.config.ApiServiceConfiguration; /** * VirtualNetworkApplianceManagerImpl manages the different types of virtual network appliances available in the Cloud Stack. @@ -457,7 +460,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V return null; } - _accountMgr.checkAccess(caller, null, true, router); + _accountMgr.checkAccess(caller, null, router); _itMgr.expunge(router.getUuid()); _routerDao.remove(router.getId()); @@ -476,7 +479,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V throw new InvalidParameterValueException("Unable to find router with id " + routerId); } - _accountMgr.checkAccess(caller, null, true, router); + _accountMgr.checkAccess(caller, null, router); if (router.getServiceOfferingId() == serviceOfferingId) { s_logger.debug("Router: " + routerId + "already has service offering: " + serviceOfferingId); @@ -591,7 +594,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V throw new InvalidParameterValueException("Unable to find router by id " + routerId + "."); } - _accountMgr.checkAccess(account, null, true, router); + _accountMgr.checkAccess(account, null, router); final UserVO user = _userDao.findById(CallContext.current().getCallingUserId()); @@ -650,7 +653,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V throw new InvalidParameterValueException("Unable to find domain router with id " + routerId + "."); } - _accountMgr.checkAccess(caller, null, true, router); + _accountMgr.checkAccess(caller, null, router); // Can reboot domain router only in Running state if (router == null || router.getState() != State.Running) { @@ -3252,7 +3255,7 @@ public class VirtualNetworkApplianceManagerImpl extends ManagerBase implements V if (router == null) { throw new InvalidParameterValueException("Unable to find router by id " + routerId + "."); } - _accountMgr.checkAccess(caller, null, true, router); + _accountMgr.checkAccess(caller, null, router); final Account owner = _accountMgr.getAccount(router.getAccountId()); diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java index 13f6306b7d2..5d56451fd41 100755 --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -25,10 +25,12 @@ import java.util.Set; import javax.ejb.Local; import javax.inject.Inject; +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.firewall.ListPortForwardingRulesCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; -import org.apache.log4j.Logger; import com.cloud.configuration.ConfigurationManager; import com.cloud.domain.dao.DomainDao; @@ -162,7 +164,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } } - _accountMgr.checkAccess(caller, null, true, ipAddress, userVm); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipAddress, userVm); // validate that IP address and userVM belong to the same account if (ipAddress.getAllocatedToAccountId().longValue() != userVm.getAccountId()) { @@ -187,7 +189,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules return; } - _accountMgr.checkAccess(caller, null, true, rule, userVm); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, rule, userVm); if (userVm.getState() == VirtualMachine.State.Destroyed || userVm.getState() == VirtualMachine.State.Expunging) { throw new InvalidParameterValueException("Invalid user vm: " + userVm.getId()); @@ -680,7 +682,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules throw new InvalidParameterValueException("Unable to find " + ruleId); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); if (!revokePortForwardingRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) { throw new CloudRuntimeException("Failed to delete port forwarding rule"); @@ -715,7 +717,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules throw new InvalidParameterValueException("Unable to find " + ruleId); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); if (!revokeStaticNatRuleInternal(ruleId, caller, ctx.getCallingUserId(), apply)) { throw new CloudRuntimeException("Failed to revoke forwarding rule"); @@ -791,7 +793,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules if (ipAddressVO == null || !ipAddressVO.readyToUse()) { throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet"); } - _accountMgr.checkAccess(caller, null, true, ipAddressVO); + _accountMgr.checkAccess(caller, null, ipAddressVO); } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); @@ -866,7 +868,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()])); + _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()])); } try { @@ -895,7 +897,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()])); + _accountMgr.checkAccess(caller, null, staticNatRules.toArray(new StaticNatRule[staticNatRules.size()])); } try { @@ -919,7 +921,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()])); + _accountMgr.checkAccess(caller, null, rules.toArray(new PortForwardingRuleVO[rules.size()])); } try { @@ -945,7 +947,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, rules.toArray(new FirewallRule[rules.size()])); + _accountMgr.checkAccess(caller, null, rules.toArray(new FirewallRule[rules.size()])); } for (FirewallRuleVO rule : rules) { @@ -973,7 +975,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, ips.toArray(new IPAddressVO[ips.size()])); + _accountMgr.checkAccess(caller, null, ips.toArray(new IPAddressVO[ips.size()])); } List staticNats = new ArrayList(); @@ -1009,7 +1011,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules if (ipAddressVO == null || !ipAddressVO.readyToUse()) { throw new InvalidParameterValueException("Ip address id=" + ipId + " not ready for port forwarding rules yet"); } - _accountMgr.checkAccess(caller, null, true, ipAddressVO); + _accountMgr.checkAccess(caller, null, ipAddressVO); } Ternary domainIdRecursiveListProject = new Ternary(domainId, isRecursive, null); @@ -1385,7 +1387,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules } if (caller != null) { - _accountMgr.checkAccess(caller, null, true, sourceIp); + _accountMgr.checkAccess(caller, null, sourceIp); } // create new static nat rule @@ -1504,7 +1506,7 @@ public class RulesManagerImpl extends ManagerBase implements RulesManager, Rules if (rule == null) { throw new InvalidParameterValueException("Unable to find " + id); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); if (customId != null) { rule.setUuid(customId); diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java index f60a746e68c..b4c67b8d74d 100755 --- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java +++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java @@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro } // Verify permissions - _accountMgr.checkAccess(caller, null, true, securityGroup); + _accountMgr.checkAccess(caller, null, securityGroup); Long domainId = owner.getDomainId(); if (protocol == null) { @@ -819,7 +819,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro // Check permissions SecurityGroup securityGroup = _securityGroupDao.findById(rule.getSecurityGroupId()); - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, securityGroup); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup); long securityGroupId = rule.getSecurityGroupId(); Boolean result = Transaction.execute(new TransactionCallback() { @@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro } // check permissions - _accountMgr.checkAccess(caller, null, true, group); + _accountMgr.checkAccess(caller, null, group); return Transaction.execute(new TransactionCallbackWithException() { @Override @@ -1359,7 +1359,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro } // Verify permissions - _accountMgr.checkAccess(caller, null, false, vm); + _accountMgr.checkAccess(caller, null, vm); // Validate parameters List vmSgGrps = getSecurityGroupsForVm(vmId); diff --git a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java index e024fbe3d38..d2aa61763ce 100644 --- a/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java +++ b/server/src/com/cloud/network/vpc/NetworkACLServiceImpl.java @@ -103,7 +103,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find VPC"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); return _networkAclMgr.createNetworkACL(name, description, vpcId, forDisplay); } @@ -161,7 +161,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find VPC"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); //Include vpcId 0 to list default ACLs sc.setParameters("vpcId", vpcId, 0); } else { @@ -225,7 +225,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find specified VPC associated with the ACL"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); return _networkAclMgr.deleteNetworkACL(acl); } @@ -256,14 +256,14 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (!gateway.getVpcId().equals(acl.getVpcId())) { throw new InvalidParameterValueException("private gateway: " + privateGatewayId + " and ACL: " + aclId + " do not belong to the same VPC"); } } PrivateGateway privateGateway = _vpcSvc.getVpcPrivateGateway(gateway.getId()); - _accountMgr.checkAccess(caller, null, true, privateGateway); + _accountMgr.checkAccess(caller, null, privateGateway); return _networkAclMgr.replaceNetworkACLForPrivateGw(acl, privateGateway); @@ -299,7 +299,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (!network.getVpcId().equals(acl.getVpcId())) { throw new InvalidParameterValueException("Network: " + networkId + " and ACL: " + aclId + " do not belong to the same VPC"); } @@ -371,7 +371,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find Vpc associated with the NetworkACL"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); //Ensure that number is unique within the ACL if (aclItemCmd.getNumber() != null) { @@ -546,7 +546,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ if (vpc == null) { throw new InvalidParameterValueException("Unable to find VPC associated with acl"); } - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); } sc.setParameters("aclId", aclId); } else { @@ -615,7 +615,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); if((aclItem.getAclId() == NetworkACL.DEFAULT_ALLOW) || (aclItem.getAclId() == NetworkACL.DEFAULT_DENY)){ throw new InvalidParameterValueException("ACL Items in default ACL cannot be deleted"); @@ -642,7 +642,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (number != null) { //Check if ACL Item with specified number already exists @@ -664,7 +664,7 @@ public class NetworkACLServiceImpl extends ManagerBase implements NetworkACLServ NetworkACLVO acl = _networkACLDao.findById(id); Vpc vpc = _entityMgr.findById(Vpc.class, acl.getVpcId()); Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, null, true, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (customId != null) { acl.setUuid(customId); diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java index f53eb1f7cb7..0c33fc606bc 100644 --- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java @@ -38,6 +38,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity.ACLType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.vpc.ListPrivateGatewaysCmd; import org.apache.cloudstack.api.command.user.vpc.ListStaticRoutesCmd; import org.apache.cloudstack.context.CallContext; @@ -761,7 +762,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis Account owner = _accountMgr.getAccount(vpcOwnerId); //Verify that caller can perform actions in behalf of vpc owner - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); //check resource limit _resourceLimitMgr.checkResourceLimit(owner, ResourceType.vpc); @@ -894,7 +895,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } //verify permissions - _accountMgr.checkAccess(ctx.getCallingAccount(), null, false, vpc); + _accountMgr.checkAccess(ctx.getCallingAccount(), null, vpc); return destroyVpc(vpc, ctx.getCallingAccount(), ctx.getCallingUserId()); } @@ -962,7 +963,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis throw new InvalidParameterValueException("Unable to find vpc by id " + vpcId); } - _accountMgr.checkAccess(caller, null, false, vpcToUpdate); + _accountMgr.checkAccess(caller, null, vpcToUpdate); VpcVO vpc = _vpcDao.createForUpdate(vpcId); @@ -1154,7 +1155,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } //permission check - _accountMgr.checkAccess(caller, null, false, vpc); + _accountMgr.checkAccess(caller, null, vpc); DataCenter dc = _entityMgr.findById(DataCenter.class, vpc.getZoneId()); @@ -1214,7 +1215,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } //permission check - _accountMgr.checkAccess(caller, null, false, vpc); + _accountMgr.checkAccess(caller, null, vpc); //shutdown provider s_logger.debug("Shutting down vpc " + vpc); @@ -1480,7 +1481,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis throw ex; } - _accountMgr.checkAccess(caller, null, false, vpc); + _accountMgr.checkAccess(caller, null, vpc); s_logger.debug("Restarting VPC " + vpc); boolean restartRequired = false; @@ -1927,7 +1928,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis throw new InvalidParameterValueException("Unable to find static route by id"); } - _accountMgr.checkAccess(caller, null, false, route); + _accountMgr.checkAccess(caller, null, route); markStaticRouteForRevoke(route, caller); @@ -1975,7 +1976,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis if (vpc == null) { throw new InvalidParameterValueException("Can't add static route to VPC that is being deleted"); } - _accountMgr.checkAccess(caller, null, false, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (!NetUtils.isValidCIDR(cidr)) { throw new InvalidParameterValueException("Invalid format for cidr " + cidr); @@ -2127,7 +2128,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis protected void markStaticRouteForRevoke(StaticRouteVO route, Account caller) { s_logger.debug("Revoking static route " + route); if (caller != null) { - _accountMgr.checkAccess(caller, null, false, route); + _accountMgr.checkAccess(caller, null, route); } if (route.getState() == StaticRoute.State.Staged) { @@ -2191,7 +2192,6 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis IpAddress ipToAssoc = _ntwkModel.getIp(ipId); if (ipToAssoc != null) { - _accountMgr.checkAccess(caller, null, true, ipToAssoc); owner = _accountMgr.getAccount(ipToAssoc.getAllocatedToAccountId()); } else { s_logger.debug("Unable to find ip address by id: " + ipId); @@ -2204,7 +2204,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis } // check permissions - _accountMgr.checkAccess(caller, null, true, owner, vpc); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, ipToAssoc, vpc); boolean isSourceNat = false; if (getExistingSourceNatInVpc(owner.getId(), vpcId) == null) { @@ -2284,7 +2284,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis ex.addProxyObject(String.valueOf(vpcId), "VPC"); throw ex; } - _accountMgr.checkAccess(caller, null, false, vpc); + _accountMgr.checkAccess(caller, null, vpc); if (networkDomain == null) { networkDomain = vpc.getNetworkDomain(); diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java index 531adad3520..0f734dddef7 100755 --- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java @@ -150,7 +150,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc throw new InvalidParameterValueException("Unable to create remote access vpn, invalid public IP address id" + publicIpId); } - _accountMgr.checkAccess(caller, null, true, ipAddr); + _accountMgr.checkAccess(caller, null, ipAddr); if (!ipAddr.readyToUse()) { throw new InvalidParameterValueException("The Ip address is not ready to be used yet: " + ipAddr.getAddress()); @@ -292,7 +292,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc return; } - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, vpn); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, vpn); vpn.setState(RemoteAccessVpn.State.Removed); _remoteAccessVpnDao.update(vpn.getId(), vpn); @@ -387,7 +387,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc if (owner == null) { throw new InvalidParameterValueException("Unable to add vpn user: Another operation active"); } - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); //don't allow duplicated user names for the same account VpnUserVO vpnUser = _vpnUsersDao.findByAccountAndUsername(owner.getId(), username); @@ -416,7 +416,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc if (user == null) { throw new InvalidParameterValueException("Could not find vpn user " + username); } - _accountMgr.checkAccess(caller, null, true, user); + _accountMgr.checkAccess(caller, null, user); Transaction.execute(new TransactionCallbackNoReturn() { @Override @@ -435,7 +435,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc public List listVpnUsers(long vpnOwnerId, String userName) { Account caller = CallContext.current().getCallingAccount(); Account owner = _accountDao.findById(vpnOwnerId); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); return _vpnUsersDao.listByAccount(vpnOwnerId); } @@ -453,7 +453,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc openFirewall = false; } - _accountMgr.checkAccess(caller, null, true, vpn); + _accountMgr.checkAccess(caller, null, vpn); boolean started = false; try { @@ -499,7 +499,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc public boolean applyVpnUsers(long vpnOwnerId, String userName) { Account caller = CallContext.current().getCallingAccount(); Account owner = _accountDao.findById(vpnOwnerId); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); s_logger.debug("Applying vpn users for " + owner); List vpns = _remoteAccessVpnDao.findByAccount(vpnOwnerId); @@ -636,7 +636,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc throw new InvalidParameterValueException("Unable to list remote access vpns, IP address " + ipAddressId + " is not associated with an account."); } } - _accountMgr.checkAccess(caller, null, true, publicIp); + _accountMgr.checkAccess(caller, null, publicIp); } Ternary domainIdRecursiveListProject = new Ternary(cmd.getDomainId(), cmd.isRecursive(), null); @@ -747,7 +747,7 @@ public class RemoteAccessVpnManagerImpl extends ManagerBase implements RemoteAcc throw new InvalidParameterValueException("Can't find remote access vpn by id " + id); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vpn); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vpn); if (customId != null) { vpn.setUuid(customId); } diff --git a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java index fdb5bbf1247..1d6ed22b416 100644 --- a/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java @@ -24,6 +24,9 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.api.command.user.vpn.CreateVpnConnectionCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnCustomerGatewayCmd; import org.apache.cloudstack.api.command.user.vpn.CreateVpnGatewayCmd; @@ -37,8 +40,6 @@ import org.apache.cloudstack.api.command.user.vpn.ResetVpnConnectionCmd; import org.apache.cloudstack.api.command.user.vpn.UpdateVpnCustomerGatewayCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.configuration.Config; import com.cloud.event.ActionEvent; @@ -124,7 +125,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); //Verify that caller can perform actions in behalf of vpc owner - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); Long vpcId = cmd.getVpcId(); VpcVO vpc = _vpcDao.findById(vpcId); @@ -174,7 +175,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); //Verify that caller can perform actions in behalf of vpc owner - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); String name = cmd.getName(); String gatewayIp = cmd.getGatewayIp(); @@ -242,21 +243,21 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); //Verify that caller can perform actions in behalf of vpc owner - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); Long customerGatewayId = cmd.getCustomerGatewayId(); Site2SiteCustomerGateway customerGateway = _customerGatewayDao.findById(customerGatewayId); if (customerGateway == null) { throw new InvalidParameterValueException("Unable to found specified Site to Site VPN customer gateway " + customerGatewayId + " !"); } - _accountMgr.checkAccess(caller, null, false, customerGateway); + _accountMgr.checkAccess(caller, null, customerGateway); Long vpnGatewayId = cmd.getVpnGatewayId(); Site2SiteVpnGateway vpnGateway = _vpnGatewayDao.findById(vpnGatewayId); if (vpnGateway == null) { throw new InvalidParameterValueException("Unable to found specified Site to Site VPN gateway " + vpnGatewayId + " !"); } - _accountMgr.checkAccess(caller, null, false, vpnGateway); + _accountMgr.checkAccess(caller, null, vpnGateway); if (customerGateway.getAccountId() != vpnGateway.getAccountId() || customerGateway.getDomainId() != vpnGateway.getDomainId()) { throw new InvalidParameterValueException("VPN connection can only be esitablished between same account's VPN gateway and customer gateway!"); @@ -366,7 +367,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn if (customerGateway == null) { throw new InvalidParameterValueException("Fail to find customer gateway with " + id + " !"); } - _accountMgr.checkAccess(caller, null, false, customerGateway); + _accountMgr.checkAccess(caller, null, customerGateway); return doDeleteCustomerGateway(customerGateway); } @@ -401,7 +402,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn throw new InvalidParameterValueException("Fail to find vpn gateway with " + id + " !"); } - _accountMgr.checkAccess(caller, null, false, vpnGateway); + _accountMgr.checkAccess(caller, null, vpnGateway); doDeleteVpnGateway(vpnGateway); return true; @@ -418,7 +419,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn if (gw == null) { throw new InvalidParameterValueException("Find to find customer gateway with id " + id); } - _accountMgr.checkAccess(caller, null, false, gw); + _accountMgr.checkAccess(caller, null, gw); List conns = _vpnConnectionDao.listByCustomerGatewayId(id); if (conns != null) { @@ -508,7 +509,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to delete!"); } - _accountMgr.checkAccess(caller, null, false, conn); + _accountMgr.checkAccess(caller, null, conn); if (conn.getState() == State.Connected) { stopVpnConnection(id); @@ -557,7 +558,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn if (conn == null) { throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id + " to reset!"); } - _accountMgr.checkAccess(caller, null, false, conn); + _accountMgr.checkAccess(caller, null, conn); if (conn.getState() == State.Pending) { throw new InvalidParameterValueException("VPN connection " + id + " cannot be reseted when state is Pending!"); @@ -821,7 +822,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn throw new InvalidParameterValueException("Fail to find site to site VPN connection " + id); } - _accountMgr.checkAccess(caller, null, false, conn); + _accountMgr.checkAccess(caller, null, conn); if (customId != null) { conn.setUuid(customId); } @@ -844,7 +845,7 @@ public class Site2SiteVpnManagerImpl extends ManagerBase implements Site2SiteVpn throw new InvalidParameterValueException("Fail to find vpn gateway with " + id); } - _accountMgr.checkAccess(caller, null, false, vpnGateway); + _accountMgr.checkAccess(caller, null, vpnGateway); if (customId != null) { vpnGateway.setUuid(customId); } diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java index d10c059bd52..6aa5abc0e8c 100755 --- a/server/src/com/cloud/projects/ProjectManagerImpl.java +++ b/server/src/com/cloud/projects/ProjectManagerImpl.java @@ -244,7 +244,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { throw new InvalidParameterValueException("Unable to find project by id " + projectId); } - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); //at this point enabling project doesn't require anything, so just update the state project.setState(State.Active); @@ -264,7 +264,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { throw new InvalidParameterValueException("Unable to find project by id " + projectId); } - _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project); } @@ -463,7 +463,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { } //verify permissions - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); Transaction.execute(new TransactionCallbackWithExceptionNoReturn() { @Override @@ -550,7 +550,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { } //verify permissions - only project owner can assign - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); //Check if the account already added to the project ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId()); @@ -628,7 +628,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { } //verify permissions - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); //Check if the account exists in the project ProjectAccount projectAccount = _projectAccountDao.findByProjectIdAccountId(projectId, account.getId()); @@ -750,7 +750,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { } //verify permissions - _accountMgr.checkAccess(caller, null, true, account); + _accountMgr.checkAccess(caller, null, account); accountId = account.getId(); } else { @@ -830,7 +830,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { } //verify permissions - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); //allow project activation only when it's in Suspended state Project.State currentState = project.getState(); @@ -870,7 +870,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { throw ex; } - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); if (suspendProject(project)) { s_logger.debug("Successfully suspended project id=" + projectId); @@ -1012,7 +1012,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { Project project = getProject(invitation.getProjectId()); //check permissions - only project owner can remove the invitations - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, _accountMgr.getAccount(project.getProjectAccountId())); if (_projectInvitationDao.remove(id)) { s_logger.debug("Project Invitation id=" + id + " is removed"); diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java index 74cfc31e749..85ebe0a8da0 100755 --- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java +++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java @@ -480,7 +480,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim return limits; } - _accountMgr.checkAccess(caller, null, true, account); + _accountMgr.checkAccess(caller, null, account); domainId = null; } } @@ -500,7 +500,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim if (id != null) { ResourceLimitVO vo = _resourceLimitDao.findById(id); if (vo.getAccountId() != null) { - _accountMgr.checkAccess(caller, null, true, _accountDao.findById(vo.getAccountId())); + _accountMgr.checkAccess(caller, null, _accountDao.findById(vo.getAccountId())); limits.add(vo); } else if (vo.getDomainId() != null) { _accountMgr.checkAccess(caller, _domainDao.findById(vo.getDomainId())); @@ -650,9 +650,9 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim } if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { - _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, account); + _accountMgr.checkAccess(caller, AccessType.ModifyProject, account); } else { - _accountMgr.checkAccess(caller, null, true, account); + _accountMgr.checkAccess(caller, null, account); } ownerType = ResourceOwnerType.Account; diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index bce2930ecf2..e33c7c71086 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -953,7 +953,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe List events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds); ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]); - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents); if (ids != null && events.size() < ids.size()) { result = false; @@ -980,7 +980,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe List events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds); ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]); - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, sameOwnerEvents); if (ids != null && events.size() < ids.size()) { result = false; @@ -3294,7 +3294,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe } // check permissions - _accountMgr.checkAccess(caller, null, true, _accountMgr.getAccount(user.getAccountId())); + _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(user.getAccountId())); String cloudIdentifier = _configDao.getValue("cloud.identifier"); if (cloudIdentifier == null) { @@ -3401,7 +3401,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe throw ex; } - _accountMgr.checkAccess(caller, null, true, group); + _accountMgr.checkAccess(caller, null, group); // Check if name is already in use by this account (exclude this group) boolean isNameInUse = _vmGroupDao.isNameInUse(group.getAccountId(), groupName); @@ -3646,7 +3646,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe } // make permission check - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); _userVmDao.loadDetails(vm); String password = vm.getDetail("Encrypted.Password"); @@ -3819,7 +3819,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe throw new InvalidParameterValueException("Unable to find SystemVm with id " + systemVmId); } - _accountMgr.checkAccess(caller, null, true, systemVm); + _accountMgr.checkAccess(caller, null, systemVm); // Check that the specified service offering ID is valid ServiceOfferingVO newServiceOffering = _offeringDao.findById(serviceOfferingId); diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java index 60f32cf4bb0..16d7a3292fe 100644 --- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java +++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java @@ -522,7 +522,7 @@ public class ConsoleProxyServlet extends HttpServlet { switch (vm.getType()) { case User: try { - _accountMgr.checkAccess(accountObj, null, true, vm); + _accountMgr.checkAccess(accountObj, null, vm); } catch (PermissionDeniedException ex) { if (_accountMgr.isNormalUser(accountObj.getId())) { if (s_logger.isDebugEnabled()) { diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java index cd3d897b849..c0741c58637 100644 --- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java +++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java @@ -26,6 +26,9 @@ import java.util.concurrent.ExecutionException; import javax.inject.Inject; +import org.apache.log4j.Logger; + +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.volume.AttachVolumeCmd; import org.apache.cloudstack.api.command.user.volume.CreateVolumeCmd; import org.apache.cloudstack.api.command.user.volume.DetachVolumeCmd; @@ -68,7 +71,6 @@ import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreDao; import org.apache.cloudstack.storage.datastore.db.VolumeDataStoreVO; import org.apache.cloudstack.storage.image.datastore.ImageStoreEntity; import org.apache.cloudstack.utils.identity.ManagementServerNode; -import org.apache.log4j.Logger; import com.cloud.agent.AgentManager; import com.cloud.agent.api.Answer; @@ -263,7 +265,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format) throws ResourceAllocationException { // permission check - _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId)); + _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId)); // Check that the resource limit for volumes won't be exceeded _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.volume); @@ -372,10 +374,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic Boolean displayVolume = cmd.getDisplayVolume(); // permission check - _accountMgr.checkAccess(caller, null, true, _accountMgr.getActiveAccountById(ownerId)); + _accountMgr.checkAccess(caller, null, _accountMgr.getActiveAccountById(ownerId)); if (displayVolume == null) { displayVolume = true; + } else { if (!_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted "); @@ -499,9 +502,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic size = snapshotCheck.getSize(); // ; disk offering is used for tags // purposes - // check snapshot permissions - _accountMgr.checkAccess(caller, null, true, snapshotCheck); - // one step operation - create volume in VM's cluster and attach it // to the VM Long vmId = cmd.getVirtualMachineId(); @@ -516,9 +516,6 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic if (vm.getState() != State.Running && vm.getState() != State.Stopped) { throw new InvalidParameterValueException("Please specify a VM that is either running or stopped."); } - - // permission check - _accountMgr.checkAccess(caller, null, false, vm); } } @@ -766,7 +763,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic } /* does the caller have the authority to act on this volume? */ - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); long currentSize = volume.getSize(); @@ -929,7 +926,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic throw new InvalidParameterValueException("There are snapshot creating on it, Unable to delete the volume"); } - _accountMgr.checkAccess(caller, null, true, volume); + _accountMgr.checkAccess(caller, null, volume); if (volume.getInstanceId() != null) { throw new InvalidParameterValueException("Please specify a volume that is not attached to any VM."); @@ -1136,7 +1133,11 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic throw new InvalidParameterValueException("Unable to attach volume, please specify a VM that does not have VM snapshots"); } - if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach.getState()))) { + // permission check + _accountMgr.checkAccess(caller, AccessType.OperateEntry, volumeToAttach, vm); + + if (!(Volume.State.Allocated.equals(volumeToAttach.getState()) || Volume.State.Ready.equals(volumeToAttach.getState()) || Volume.State.Uploaded.equals(volumeToAttach + .getState()))) { throw new InvalidParameterValueException("Volume state must be in Allocated, Ready or in Uploaded state"); } @@ -1356,7 +1357,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic } // Permissions check - _accountMgr.checkAccess(caller, null, true, volume); + _accountMgr.checkAccess(caller, null, volume); // Check that the volume is currently attached to a VM @@ -1823,7 +1824,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic } // perform permission check - _accountMgr.checkAccess(account, null, true, volume); + _accountMgr.checkAccess(account, null, volume); if (_dcDao.findById(zoneId) == null) { throw new InvalidParameterValueException("Please specify a valid zone."); diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java index 388a952a23a..c22e1485478 100755 --- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java +++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java @@ -286,7 +286,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, boolean backedUp = false; // does the caller have the authority to act on this volume - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); SnapshotInfo snapshot = snapshotFactory.getSnapshot(snapshotId, DataStoreRole.Primary); @@ -391,7 +391,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, throw new InvalidParameterValueException("unable to find a snapshot with id " + snapshotId); } - _accountMgr.checkAccess(caller, null, true, snapshotCheck); + _accountMgr.checkAccess(caller, null, snapshotCheck); SnapshotStrategy snapshotStrategy = _storageStrategyFactory.getSnapshotStrategy(snapshotCheck, SnapshotOperation.DELETE); if (snapshotStrategy == null) { s_logger.error("Unable to find snaphot strategy to handle snapshot with id '" + snapshotId + "'"); @@ -450,7 +450,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, if (volumeId != null) { VolumeVO volume = _volsDao.findById(volumeId); if (volume != null) { - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); } } @@ -624,7 +624,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, throw new InvalidParameterValueException("Failed to create snapshot policy, unable to find a volume with id " + volumeId); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); if (volume.getState() != Volume.State.Ready) { throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() + @@ -723,7 +723,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, if (volume == null) { throw new InvalidParameterValueException("Unable to find a volume with id " + volumeId); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); Pair, Integer> result = _snapshotPolicyDao.listAndCountByVolumeId(volumeId); return new Pair, Integer>(result.first(), result.second()); } @@ -999,7 +999,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, throw new InvalidParameterValueException("Policy id given: " + policy + " does not belong to a valid volume"); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, volume); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, volume); } boolean success = true; @@ -1030,12 +1030,9 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, @Override public Snapshot allocSnapshot(Long volumeId, Long policyId) throws ResourceAllocationException { - Account caller = CallContext.current().getCallingAccount(); VolumeInfo volume = volFactory.getVolume(volumeId); supportedByHypervisor(volume); - // Verify permissions - _accountMgr.checkAccess(caller, null, true, volume); Type snapshotType = getSnapshotType(policyId); Account owner = _accountMgr.getAccount(volume.getAccountId()); diff --git a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java index 900c822da83..71722a99ad3 100644 --- a/server/src/com/cloud/tags/TaggedResourceManagerImpl.java +++ b/server/src/com/cloud/tags/TaggedResourceManagerImpl.java @@ -25,11 +25,12 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.log4j.Logger; + import org.apache.cloudstack.api.Identity; import org.apache.cloudstack.api.InternalIdentity; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.storage.datastore.db.StoragePoolVO; -import org.apache.log4j.Logger; import com.cloud.api.query.dao.ResourceTagJoinDao; import com.cloud.dc.DataCenterVO; @@ -222,7 +223,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso Long domainId = accountDomainPair.second(); Long accountId = accountDomainPair.first(); if (accountId != null) { - _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId)); + _accountMgr.checkAccess(caller, null, _accountMgr.getAccount(accountId)); } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) { //check permissions; _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId)); @@ -284,7 +285,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso for (ResourceTag resourceTag : resourceTags) { //1) validate the permissions Account owner = _accountMgr.getAccount(resourceTag.getAccountId()); - _accountMgr.checkAccess(caller, null, false, owner); + _accountMgr.checkAccess(caller, null, owner); //2) Only remove tag if it matches key value pairs if (tags != null && !tags.isEmpty()) { for (String key : tags.keySet()) { diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java index f3c16cad03c..346517475e3 100755 --- a/server/src/com/cloud/template/TemplateAdapterBase.java +++ b/server/src/com/cloud/template/TemplateAdapterBase.java @@ -258,7 +258,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat //check if the caller can operate with the template owner Account caller = CallContext.current().getCallingAccount(); Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); boolean isRouting = (cmd.isRoutingType() == null) ? false : cmd.isRoutingType(); @@ -281,7 +281,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat //check if the caller can operate with the template owner Account caller = CallContext.current().getCallingAccount(); Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); Long zoneId = cmd.getZoneId(); // ignore passed zoneId if we are using region wide image store diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index 81dc19890f8..0a32c8ef8c7 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -369,7 +369,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("Unable to find template id=" + templateId); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, vmTemplate); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, vmTemplate); prepareTemplateInAllStoragePools(vmTemplate, zoneId); return vmTemplate; @@ -415,7 +415,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable"); } - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, template); List ssStores = _dataStoreMgr.getImageStoresByScope(new ZoneScope(zoneId)); @@ -722,7 +722,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, return template; } - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, template); boolean success = copy(userId, template, srcSecStore, dstZone); @@ -911,7 +911,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("Please specify a valid VM."); } - _accountMgr.checkAccess(caller, null, true, userVM); + _accountMgr.checkAccess(caller, null, userVM); Long isoId = userVM.getIsoId(); if (isoId == null) { @@ -952,12 +952,11 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, // check permissions // check if caller has access to VM and ISO - // and also check if the VM's owner has access to the ISO. - - _accountMgr.checkAccess(caller, null, false, iso, vm); - + // and also check if the VM's owner has access to the ISO. This is a bit different from sameOwner check for attachVolumeToVM, where both volume and VM need + // OperateEntry access type. Here VM needs OperateEntry access type, ISO needs UseEntry access type. + _accountMgr.checkAccess(caller, null, iso, vm); Account vmOwner = _accountDao.findById(vm.getAccountId()); - _accountMgr.checkAccess(vmOwner, null, false, iso, vm); + _accountMgr.checkAccess(vmOwner, null, iso); State vmState = vm.getState(); if (vmState != State.Running && vmState != State.Stopped) { @@ -1061,7 +1060,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("unable to find template with id " + templateId); } - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, template); if (template.getFormat() == ImageFormat.ISO) { throw new InvalidParameterValueException("Please specify a valid template."); @@ -1084,7 +1083,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("unable to find iso with id " + templateId); } - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, template); if (template.getFormat() != ImageFormat.ISO) { throw new InvalidParameterValueException("Please specify a valid iso."); @@ -1134,7 +1133,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } if (!template.isPublicTemplate()) { - _accountMgr.checkAccess(caller, null, true, template); + _accountMgr.checkAccess(caller, null, template); } List accountNames = new ArrayList(); @@ -1207,8 +1206,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } } - //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template); - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template); //TODO: should we replace all ModifyEntry as OperateEntry? + _accountMgr.checkAccess(caller, AccessType.OperateEntry, template); // If the template is removed throw an error. if (template.getRemoved() != null) { @@ -1489,7 +1487,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, Account caller = CallContext.current().getCallingAccount(); boolean isAdmin = (_accountMgr.isAdmin(caller.getType())); - _accountMgr.checkAccess(caller, null, true, templateOwner); + _accountMgr.checkAccess(caller, null, templateOwner); String name = cmd.getTemplateName(); if ((name == null) || (name.length() > 32)) { @@ -1541,7 +1539,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("Failed to create private template record, unable to find volume " + volumeId); } // check permissions - _accountMgr.checkAccess(caller, null, true, volume); + _accountMgr.checkAccess(caller, null, volume); // If private template is created from Volume, check that the volume // will not be active when the private template is @@ -1564,7 +1562,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, volume = _volumeDao.findById(snapshot.getVolumeId()); // check permissions - _accountMgr.checkAccess(caller, null, true, snapshot); + _accountMgr.checkAccess(caller, null, snapshot); if (snapshot.getState() != Snapshot.State.BackedUp) { throw new InvalidParameterValueException("Snapshot id=" + snapshotId + " is not in " + Snapshot.State.BackedUp + @@ -1780,7 +1778,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, verifyTemplateId(id); // do a permission check - _accountMgr.checkAccess(account, AccessType.OperateEntry, true, template); + _accountMgr.checkAccess(account, AccessType.OperateEntry, template); if (cmd.isRoutingType() != null) { if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied"); diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 2070ee6b4de..6de70c6026e 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -450,6 +450,20 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } + @Override + public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException { + // TODO this will eventually deprecate below sameOwner check interface. + // TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker + checkAccess(account, accessType, false, entities); + } + + @Override + public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException { + // TODO this will eventually deprecate below sameOwner check interface. + // TO BE IMPLEMENTED when multiple controlled entity support interface is added into SecurityChecker + checkAccess(account, accessType, false, apiName, entities); + } + @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { checkAccess(caller, accessType, sameOwner, null, entities); @@ -1112,7 +1126,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed"); } - checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account); + checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account); if (firstName != null) { if (firstName.isEmpty()) { @@ -1226,7 +1240,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("User id : " + userId + " is a system user, disabling is not allowed"); } - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); boolean success = doSetUserStatus(userId, State.disabled); if (success) { @@ -1264,7 +1278,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("User id : " + userId + " is a system user, enabling is not allowed"); } - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); boolean success = Transaction.execute(new TransactionCallback() { @Override @@ -1313,7 +1327,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("user id : " + userId + " is a system user, locking is not allowed"); } - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); // make sure the account is enabled too // if the user is either locked already or disabled already, don't change state...only lock currently enabled @@ -1377,7 +1391,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("The specified account does not exist in the system"); } - checkAccess(caller, null, true, account); + checkAccess(caller, null, account); // don't allow to delete default account (system and admin) if (account.isDefault()) { @@ -1422,7 +1436,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // Check if user performing the action is allowed to modify this account Account caller = CallContext.current().getCallingAccount(); - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); boolean success = enableAccount(account.getId()); if (success) { @@ -1456,7 +1470,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("Account id : " + accountId + " is a system account, lock is not allowed"); } - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); if (lockAccount(account.getId())) { CallContext.current().putContextParameter(Account.class, account.getUuid()); @@ -1486,7 +1500,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new PermissionDeniedException("Account id : " + accountId + " is a system account, disable is not allowed"); } - checkAccess(caller, AccessType.OperateEntry, true, account); + checkAccess(caller, AccessType.OperateEntry, account); if (disableAccount(account.getId())) { CallContext.current().putContextParameter(Account.class, account.getUuid()); @@ -1605,7 +1619,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M throw new InvalidParameterValueException("The user is default and can't be removed"); } - checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account); + checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, account); CallContext.current().putContextParameter(User.class, user.getUuid()); return _userDao.remove(id); } @@ -2252,7 +2266,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M if (userAccount != null) { //check permissions - checkAccess(caller, null, false, userAccount); + checkAccess(caller, null, userAccount); permittedAccounts.add(userAccount.getId()); } else { throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid()); diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 741b21c640f..7a707ae1cc1 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -35,11 +35,9 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; - import org.apache.commons.codec.binary.Base64; import org.apache.log4j.Logger; -import com.cloud.storage.VolumeApiService; import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.affinity.AffinityGroupService; @@ -199,6 +197,7 @@ import com.cloud.server.ConfigurationServer; import com.cloud.service.ServiceOfferingVO; import com.cloud.service.dao.ServiceOfferingDao; import com.cloud.service.dao.ServiceOfferingDetailsDao; +import com.cloud.storage.DataStoreRole; import com.cloud.storage.DiskOfferingVO; import com.cloud.storage.GuestOSCategoryVO; import com.cloud.storage.GuestOSVO; @@ -206,13 +205,13 @@ import com.cloud.storage.SnapshotVO; import com.cloud.storage.Storage; import com.cloud.storage.Storage.ImageFormat; import com.cloud.storage.Storage.TemplateType; -import com.cloud.storage.DataStoreRole; import com.cloud.storage.StorageManager; import com.cloud.storage.StoragePool; import com.cloud.storage.StoragePoolStatus; import com.cloud.storage.VMTemplateVO; import com.cloud.storage.VMTemplateZoneVO; import com.cloud.storage.Volume; +import com.cloud.storage.VolumeApiService; import com.cloud.storage.VolumeVO; import com.cloud.storage.dao.DiskOfferingDao; import com.cloud.storage.dao.GuestOSCategoryDao; @@ -533,7 +532,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Vm with id " + vmId + " is not in the right state"); } - _accountMgr.checkAccess(caller, null, true, userVm); + _accountMgr.checkAccess(caller, null, userVm); boolean result = resetVMPasswordInternal(vmId, password); @@ -639,7 +638,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + " in specified domain id"); } - _accountMgr.checkAccess(caller, null, true, userVm); + _accountMgr.checkAccess(caller, null, userVm); String password = null; String sshPublicKey = s.getPublicKey(); if (template != null && template.getEnablePassword()) { @@ -779,7 +778,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + "; make sure the virtual machine is stopped"); } - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // Check resource limits for CPU and Memory. Map customParameters = cmd.getDetails(); @@ -893,7 +892,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // Check resource limits for CPU and Memory. ServiceOfferingVO newServiceOffering = _offeringDao.findById(svcOffId); @@ -962,7 +961,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir Long vmId = cmd.getVmId(); Long networkId = cmd.getNetworkId(); String ipAddress = cmd.getIpAddress(); - Account caller = CallContext.current().getCallingAccount(); UserVmVO vmInstance = _vmDao.findById(vmId); if (vmInstance == null) { @@ -973,12 +971,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a network with id " + networkId); } - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) - && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) { - throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId); - } - } List allNics = _nicDao.listByVmId(vmInstance.getId()); for (NicVO nic : allNics) { @@ -991,18 +983,12 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir profile = new NicProfile(ipAddress, null); } - // Perform permission check on VM - _accountMgr.checkAccess(caller, null, true, vmInstance); - // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); if (dc.getNetworkType() == DataCenter.NetworkType.Basic) { throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network"); } - // Perform account permission check on network - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); - //ensure network belongs in zone if (network.getDataCenterId() != vmInstance.getDataCenterId()) { throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId()); @@ -1061,7 +1047,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform permission check on VM - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); @@ -1075,7 +1061,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform account permission check on network - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, network); boolean nicremoved = false; @@ -1117,7 +1103,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Perform permission check on VM - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // Verify that zone is not Basic DataCenterVO dc = _dcDao.findById(vmInstance.getDataCenterId()); @@ -1299,7 +1285,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("This operation not permitted for this hypervisor of the vm"); } - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); //Check if its a scale "up" ServiceOfferingVO newServiceOffering = _offeringDao.findById(newServiceOfferingId); @@ -1508,7 +1494,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // check permissions - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); if (vm.getRemoved() != null) { if (s_logger.isDebugEnabled()) { @@ -1851,7 +1837,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find virtual machine with id " + id); } - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vmInstance); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vmInstance); //If the flag is specified and is changed if (isDisplayVm != null && isDisplayVm != vmInstance.isDisplayVm()) { @@ -2066,7 +2052,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(caller, null, true, vmInstance); + _accountMgr.checkAccess(caller, null, vmInstance); // If the VM is Volatile in nature, on reboot discard the VM's root disk and create a new root disk for it: by calling restoreVM long serviceOfferingId = vmInstance.getServiceOfferingId(); @@ -2170,7 +2156,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a vm group with id " + groupId); } - _accountMgr.checkAccess(caller, null, true, group); + _accountMgr.checkAccess(caller, null, group); return deleteVmGroup(groupId); } @@ -2304,7 +2290,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List networkList = new ArrayList(); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); // Get default guest network in Basic zone Network defaultNetwork = _networkModel.getExclusiveGuestNetwork(zone.getId()); @@ -2359,7 +2345,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir boolean isVmWare = (template.getHypervisorType() == HypervisorType.VMware || (hypervisor != null && hypervisor == HypervisorType.VMware)); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); // If no network is specified, find system security group enabled network if (networkIdList == null || networkIdList.isEmpty()) { @@ -2417,7 +2403,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Perform account permission check if (network.getAclType() == ACLType.Account) { - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); + _accountMgr.checkAccess(caller, AccessType.UseEntry, network); } networkList.add(network); } @@ -2463,7 +2449,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List networkList = new ArrayList(); // Verify that caller can perform actions in behalf of vm owner - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); List vpcSupportedHTypes = _vpcMgr.getSupportedVpcHypervisors(); if (networkIdList == null || networkIdList.isEmpty()) { @@ -2557,7 +2543,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir List affinityGroupIdList, Map customParameters, String customId) throws InsufficientCapacityException, ResourceUnavailableException, ConcurrentOperationException, StorageUnavailableException, ResourceAllocationException { - _accountMgr.checkAccess(caller, null, true, owner); + _accountMgr.checkAccess(caller, null, owner); if (owner.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of vm to deploy is disabled: " + owner); @@ -2633,7 +2619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Unable to find security group by id " + securityGroupId); } else { // verify permissions - _accountMgr.checkAccess(caller, null, true, owner, sg); + _accountMgr.checkAccess(owner, AccessType.UseEntry, sg); } } } @@ -2649,27 +2635,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir + " , Please try again after removing the affinity group"); } else { // verify permissions - if (ag.getAclType() == ACLType.Domain) { - _accountMgr.checkAccess(caller, null, false, owner, ag); - // Root admin has access to both VM and AG by default, - // but - // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { - if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) { - throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain"); - } - } - } else { - _accountMgr.checkAccess(caller, null, true, owner, ag); - // Root admin has access to both VM and AG by default, - // but - // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { - if (ag.getAccountId() != owner.getAccountId()) { - throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); - } - } - } + _accountMgr.checkAccess(owner, AccessType.UseEntry, ag); } } } @@ -2695,10 +2661,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } // Check templates permissions - if (!template.isPublicTemplate()) { - Account templateOwner = _accountMgr.getAccount(template.getAccountId()); - _accountMgr.checkAccess(owner, null, true, templateOwner); - } + _accountMgr.checkAccess(owner, AccessType.UseEntry, template); // check if the user data is correct validateUserData(userData, httpmethod); @@ -2727,14 +2690,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId()); } - //relax the check if the caller is admin account - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) - && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) { - throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm"); - } - } - + // Perform account permission check on network + _accountMgr.checkAccess(caller, AccessType.UseEntry, network); IpAddresses requestedIpPair = null; if (requestedIps != null && !requestedIps.isEmpty()) { requestedIpPair = requestedIps.get(network.getId()); @@ -3356,7 +3313,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId); } - _accountMgr.checkAccess(callerAccount, null, true, vm); + _accountMgr.checkAccess(callerAccount, null, vm); Account owner = _accountDao.findById(vm.getAccountId()); @@ -3662,7 +3619,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); boolean status; @@ -4243,8 +4200,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } //check caller has access to both the old and new account - _accountMgr.checkAccess(caller, null, true, oldAccount); - _accountMgr.checkAccess(caller, null, true, newAccount); + _accountMgr.checkAccess(caller, null, oldAccount); + _accountMgr.checkAccess(caller, null, newAccount); // make sure the accounts are not same if (oldAccount.getAccountId() == newAccount.getAccountId()) { @@ -4297,7 +4254,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir VirtualMachineTemplate template = _templateDao.findById(vm.getTemplateId()); if (!template.isPublicTemplate()) { Account templateOwner = _accountMgr.getAccount(template.getAccountId()); - _accountMgr.checkAccess(newAccount, null, true, templateOwner); + _accountMgr.checkAccess(newAccount, null, templateOwner); } // VV 5: check the new account can create vm in the domain @@ -4554,7 +4511,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _accountMgr.checkAccess(caller, null, true, vm); + _accountMgr.checkAccess(caller, null, vm); return restoreVMInternal(caller, vm, newTemplateId); } @@ -4604,7 +4561,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir //newTemplateId can be either template or ISO id. In the following snippet based on the vm deployment (from template or ISO) it is handled accordingly if (newTemplateId != null) { template = _templateDao.findById(newTemplateId); - _accountMgr.checkAccess(caller, null, true, template); + _accountMgr.checkAccess(caller, null, template); if (isISO) { if (!template.getFormat().equals(ImageFormat.ISO)) { throw new InvalidParameterValueException("Invalid ISO id provided to restore the VM "); @@ -4761,7 +4718,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir if (hostId != null) { // root.getPoolId() should be null if the VM we are attaching the disk to has never been started before DataStore dataStore = root.getPoolId() != null ? _dataStoreMgr.getDataStore(root.getPoolId(), DataStoreRole.Primary) : null; - Host host = this._hostDao.findById(hostId); + Host host = _hostDao.findById(hostId); volumeMgr.disconnectVolumeFromHost(volFactory.getVolume(root.getId()), host, dataStore); } @@ -4811,7 +4768,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } //check permissions - _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, true, vm); + _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, vm); return vm.getUserData(); } diff --git a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java index b30fd140576..7a2d0ade11f 100644 --- a/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java +++ b/server/src/com/cloud/vm/snapshot/VMSnapshotManagerImpl.java @@ -297,7 +297,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } // check access - _accountMgr.checkAccess(caller, null, true, userVmVo); + //_accountMgr.checkAccess(caller, null, userVmVo); // check max snapshot limit for per VM if (_vmSnapshotDao.findByVm(vmId).size() >= _vmSnapshotMax) { @@ -448,7 +448,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId); } - _accountMgr.checkAccess(caller, null, true, vmSnapshot); + _accountMgr.checkAccess(caller, null, vmSnapshot); // check VM snapshot states, only allow to delete vm snapshots in created and error state if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) { @@ -513,7 +513,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana throw new InvalidParameterValueException("unable to find the vm snapshot with id " + vmSnapshotId); } - _accountMgr.checkAccess(caller, null, true, vmSnapshot); + _accountMgr.checkAccess(caller, null, vmSnapshot); // check VM snapshot states, only allow to delete vm snapshots in created and error state if (VMSnapshot.State.Ready != vmSnapshot.getState() && VMSnapshot.State.Expunging != vmSnapshot.getState() && VMSnapshot.State.Error != vmSnapshot.getState()) { @@ -564,7 +564,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } Account caller = getCaller(); - _accountMgr.checkAccess(caller, null, true, vmSnapshotVo); + _accountMgr.checkAccess(caller, null, vmSnapshotVo); // VM should be in running or stopped states if (userVm.getState() != VirtualMachine.State.Running @@ -646,7 +646,7 @@ public class VMSnapshotManagerImpl extends ManagerBase implements VMSnapshotMana } Account caller = getCaller(); - _accountMgr.checkAccess(caller, null, true, vmSnapshotVo); + _accountMgr.checkAccess(caller, null, vmSnapshotVo); // VM should be in running or stopped states if (userVm.getState() != VirtualMachine.State.Running && userVm.getState() != VirtualMachine.State.Stopped) { diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java index 8e606ca0584..ef636920cd9 100644 --- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java +++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java @@ -262,7 +262,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro affinityGroupId = group.getId(); } // check permissions - _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, group); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, group); final Long affinityGroupIdFinal = affinityGroupId; Transaction.execute(new TransactionCallbackNoReturn() { @@ -353,7 +353,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro if (userVM == null) { throw new InvalidParameterValueException("Unable to list affinity groups for virtual machine instance " + vmId + "; instance not found."); } - _accountMgr.checkAccess(caller, null, true, userVM); + _accountMgr.checkAccess(caller, null, userVM); // add join to affinity_groups_vm_map groupSearch.join("vmInstanceSearch", vmInstanceSearch, groupSearch.entity().getId(), vmInstanceSearch.entity().getAffinityGroupId(), JoinBuilder.JoinType.INNER); @@ -477,14 +477,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId); } else { // verify permissions - _accountMgr.checkAccess(caller, null, true, owner, ag); - // Root admin has access to both VM and AG by default, but make sure the - // owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { - if (ag.getAccountId() != owner.getAccountId()) { - throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); - } - } + _accountMgr.checkAccess(owner, AccessType.UseEntry, ag); } } _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds); diff --git a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java index 73bf0d2a38b..ad1a2c4ec83 100644 --- a/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java +++ b/server/src/org/apache/cloudstack/network/lb/ApplicationLoadBalancerManagerImpl.java @@ -24,14 +24,15 @@ import java.util.Map; import javax.ejb.Local; import javax.inject.Inject; +import org.apache.log4j.Logger; +import org.springframework.stereotype.Component; + import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.command.user.loadbalancer.ListApplicationLoadBalancersCmd; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService; import org.apache.cloudstack.lb.ApplicationLoadBalancerRuleVO; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; -import org.apache.log4j.Logger; -import org.springframework.stereotype.Component; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; @@ -114,7 +115,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A } Account caller = CallContext.current().getCallingAccount(); - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, guestNtwk); + _accountMgr.checkAccess(caller, AccessType.UseEntry, guestNtwk); Network sourceIpNtwk = _networkModel.getNetwork(sourceIpNetworkId); if (sourceIpNtwk == null) { @@ -546,7 +547,7 @@ public class ApplicationLoadBalancerManagerImpl extends ManagerBase implements A if (rule == null) { throw new InvalidParameterValueException("Unable to find load balancer " + id); } - _accountMgr.checkAccess(caller, null, true, rule); + _accountMgr.checkAccess(caller, null, rule); if (customId != null) { rule.setUuid(customId); diff --git a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java index ba71d631a94..67f2c02e0ca 100644 --- a/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java +++ b/server/src/org/apache/cloudstack/network/lb/CertServiceImpl.java @@ -147,7 +147,7 @@ public class CertServiceImpl implements CertService { if (certVO == null) { throw new InvalidParameterValueException("Invalid certificate id: " + certId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, certVO); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, certVO); List lbCertRule = _lbCertDao.listByCertId(certId); @@ -191,7 +191,7 @@ public class CertServiceImpl implements CertService { throw new InvalidParameterValueException("Invalid certificate id: " + certId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVO); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVO); certLbMap = _lbCertDao.listByCertId(certId); @@ -206,7 +206,7 @@ public class CertServiceImpl implements CertService { throw new InvalidParameterValueException("found no loadbalancer wth id: " + lbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, lb); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, lb); // get the cert id LoadBalancerCertMapVO lbCertMapRule; @@ -229,7 +229,7 @@ public class CertServiceImpl implements CertService { List certVOList = _sslCertDao.listByAccountId(accountId); if (certVOList == null || certVOList.isEmpty()) return certResponseList; - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, true, certVOList.get(0)); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.UseEntry, certVOList.get(0)); for (SslCertVO cert : certVOList) { certLbMap = _lbCertDao.listByCertId(cert.getId()); diff --git a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java index c84fea29d5e..516b3ab5215 100644 --- a/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java +++ b/server/src/org/apache/cloudstack/region/gslb/GlobalLoadBalancingRulesServiceImpl.java @@ -183,7 +183,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) { throw new InvalidParameterValueException("global load balancer rule id: " + gslbRule.getUuid() + " is in revoked state"); @@ -224,7 +224,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Specified load balancer rule ID does not exist."); } - _accountMgr.checkAccess(caller, null, true, loadBalancer); + _accountMgr.checkAccess(caller, null, loadBalancer); if (gslbRule.getAccountId() != loadBalancer.getAccountId()) { throw new InvalidParameterValueException("GSLB rule and load balancer rule does not belong to same account"); @@ -319,7 +319,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); if (gslbRule.getState() == GlobalLoadBalancerRule.State.Revoke) { throw new InvalidParameterValueException("global load balancer rule id: " + gslbRuleId + " is already in revoked state"); @@ -346,7 +346,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Specified load balancer rule ID does not exist."); } - _accountMgr.checkAccess(caller, null, true, loadBalancer); + _accountMgr.checkAccess(caller, null, loadBalancer); } for (GlobalLoadBalancerLbRuleMapVO gslbLbMapVo : gslbLbMapVos) { @@ -445,7 +445,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR throw new InvalidParameterValueException("Invalid global load balancer rule id: " + gslbRuleId); } - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); if (gslbRule.getState() == com.cloud.region.ha.GlobalLoadBalancerRule.State.Staged) { if (s_logger.isDebugEnabled()) { @@ -523,7 +523,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR CallContext ctx = CallContext.current(); Account caller = ctx.getCallingAccount(); - _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, true, gslbRule); + _accountMgr.checkAccess(caller, SecurityChecker.AccessType.OperateEntry, gslbRule); if (algorithm != null && !GlobalLoadBalancerRule.Algorithm.isValidAlgorithm(algorithm)) { throw new InvalidParameterValueException("Invalid Algorithm: " + algorithm); @@ -583,7 +583,7 @@ public class GlobalLoadBalancingRulesServiceImpl implements GlobalLoadBalancingR if (gslbRule == null) { throw new InvalidParameterValueException("Invalid gslb rule id specified"); } - _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, false, gslbRule); + _accountMgr.checkAccess(caller, org.apache.cloudstack.acl.SecurityChecker.AccessType.UseEntry, gslbRule); response.add(gslbRule); return response; diff --git a/server/test/com/cloud/event/EventControlsUnitTest.java b/server/test/com/cloud/event/EventControlsUnitTest.java index 91dc921d261..0dc57427c5a 100644 --- a/server/test/com/cloud/event/EventControlsUnitTest.java +++ b/server/test/com/cloud/event/EventControlsUnitTest.java @@ -60,7 +60,7 @@ public class EventControlsUnitTest extends TestCase { MockitoAnnotations.initMocks(this); _mgmtServer._eventDao = _eventDao; _mgmtServer._accountMgr = _accountMgr; - doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class)); + doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class)); when(_eventDao.listToArchiveOrDeleteEvents(anyList(), anyString(), any(Date.class), any(Date.class), anyList())).thenReturn(_events); } diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java index 093b4edd970..17400400c89 100644 --- a/server/test/com/cloud/network/MockNetworkModelImpl.java +++ b/server/test/com/cloud/network/MockNetworkModelImpl.java @@ -25,6 +25,8 @@ import java.util.Set; import javax.ejb.Local; import javax.naming.ConfigurationException; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -878,4 +880,11 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } + + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + // TODO Auto-generated method stub + + } + } diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index f373cba922f..f76f3458fd6 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -356,5 +356,16 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return null; } + @Override + public void checkAccess(Account account, AccessType accessType, ControlledEntity... entities) throws PermissionDeniedException { + // TODO Auto-generated method stub + } + + @Override + public void checkAccess(Account account, AccessType accessType, String apiName, ControlledEntity... entities) throws PermissionDeniedException { + // TODO Auto-generated method stub + + } + } diff --git a/server/test/com/cloud/vm/UserVmManagerTest.java b/server/test/com/cloud/vm/UserVmManagerTest.java index b67c1641448..927d5e33b5f 100755 --- a/server/test/com/cloud/vm/UserVmManagerTest.java +++ b/server/test/com/cloud/vm/UserVmManagerTest.java @@ -283,7 +283,7 @@ public class UserVmManagerTest { doReturn(3L).when(_volumeMock).getTemplateId(); doReturn(ImageFormat.VHD).when(_templateMock).getFormat(); when(_templateDao.findById(anyLong())).thenReturn(_templateMock); - doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); when(_storageMgr.allocateDuplicateVolume(_volumeMock, 14L)).thenReturn(_volumeMock); when(_templateMock.getGuestOSId()).thenReturn(5L); doNothing().when(_vmMock).setGuestOSId(anyLong()); @@ -327,7 +327,7 @@ public class UserVmManagerTest { doReturn(3L).when(_vmMock).getIsoId(); doReturn(ImageFormat.ISO).when(_templateMock).getFormat(); when(_templateDao.findById(anyLong())).thenReturn(_templateMock); - doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); when(_storageMgr.allocateDuplicateVolume(_volumeMock, null)).thenReturn(_volumeMock); doNothing().when(_vmMock).setIsoId(14L); when(_templateMock.getGuestOSId()).thenReturn(5L); @@ -413,7 +413,7 @@ public class UserVmManagerTest { doReturn(VirtualMachine.State.Running).when(_vmInstance).getState(); - doNothing().when(_accountMgr).checkAccess(_account, null, true, _templateMock); + doNothing().when(_accountMgr).checkAccess(_account, null, _templateMock); doNothing().when(_itMgr).checkIfCanUpgrade(_vmMock, _offeringVo); @@ -606,7 +606,7 @@ public class UserVmManagerTest { when(_accountService.getActiveAccountByName(anyString(), anyLong())).thenReturn(newAccount); - doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), + doThrow(new PermissionDeniedException("Access check failed")).when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class)); CallContext.register(user, caller); diff --git a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java index 9d5c2b42ea9..03afdbd5804 100644 --- a/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java +++ b/server/test/com/cloud/vm/snapshot/VMSnapshotManagerTest.java @@ -125,7 +125,7 @@ public class VMSnapshotManagerTest { _vmSnapshotMgr._guestOSDao = _guestOSDao; _vmSnapshotMgr._hypervisorCapabilitiesDao = _hypervisorCapabilitiesDao; - doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(Boolean.class), any(ControlledEntity.class)); + doNothing().when(_accountMgr).checkAccess(any(Account.class), any(AccessType.class), any(ControlledEntity.class)); _vmSnapshotMgr._vmSnapshotMax = _vmSnapshotMax; diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java index 41c1c0e03af..c9e975a3d11 100644 --- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java +++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java @@ -26,6 +26,8 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -893,4 +895,11 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } + + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + // TODO Auto-generated method stub + + } + }