mirror of https://github.com/apache/cloudstack.git
CLOUDSTACK-6349: IAM - No error message presented to the user , when
invalid password is provided. - AccountManager now works using accountId instead of accountType in following methods too: - isResourceDomainAdmin() - isAdmin()
This commit is contained in:
Prachi Damle
Min Chen
parent
797169457b
commit
9514c9e045
|
|
@ -74,7 +74,7 @@ public interface AccountService {
|
|||
User
|
||||
createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID);
|
||||
|
||||
boolean isAdmin(short accountType);
|
||||
boolean isAdmin(Long accountId);
|
||||
|
||||
Account finalizeOwner(Account caller, String accountName, Long domainId, Long projectId);
|
||||
|
||||
|
|
|
|||
|
|
@ -131,7 +131,7 @@ public class CreateUserCmd extends BaseCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ public class DeleteAffinityGroupCmd extends BaseAsyncCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -121,7 +121,7 @@ public class ListIsosCmd extends BaseListTaggedResourcesCmd {
|
|||
public boolean listInReadyState() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
// It is account specific if account is admin type and domainId and accountName are not null
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getId())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
// Show only those that are downloaded.
|
||||
TemplateFilter templateFilter = TemplateFilter.valueOf(getIsoFilter());
|
||||
boolean onlyReady =
|
||||
|
|
|
|||
|
|
@ -106,7 +106,7 @@ public class UpdateResourceCountCmd extends BaseCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ public class CreateSecurityGroupCmd extends BaseCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -93,7 +93,7 @@ public class DeleteSSHKeyPairCmd extends BaseCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ public class ListTemplatesCmd extends BaseListTaggedResourcesCmd {
|
|||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
// It is account specific if account is admin type and domainId and accountName are not null
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getId())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
// Show only those that are downloaded.
|
||||
TemplateFilter templateFilter = TemplateFilter.valueOf(getTemplateFilter());
|
||||
boolean onlyReady =
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ public class ListResourceDetailsCmd extends BaseListProjectAndAccountResourcesCm
|
|||
List<ResourceDetailResponse> resourceDetailResponse = _queryService.listResourceDetails(this);
|
||||
response.setResponses(resourceDetailResponse);
|
||||
response.setResponseName(getCommandName());
|
||||
this.setResponseObject(response);
|
||||
setResponseObject(response);
|
||||
}
|
||||
|
||||
public ResourceTag.ResourceObjectType getResourceType() {
|
||||
|
|
|
|||
|
|
@ -165,7 +165,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
|
|||
}
|
||||
|
||||
@Override
|
||||
public boolean isAdmin(short arg0) {
|
||||
public boolean isAdmin(Long accountId) {
|
||||
// TODO Auto-generated method stub
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -350,6 +350,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
|||
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
return true;
|
||||
}
|
||||
} else if (action != null && ("DomainResourceCapability".equals(action))) {
|
||||
if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return checkAccess(caller, entity, accessType);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1829,7 +1829,7 @@ public class ApiDBUtils {
|
|||
}
|
||||
|
||||
public static boolean isAdmin(Account account) {
|
||||
return s_accountService.isAdmin(account.getType());
|
||||
return s_accountService.isAdmin(account.getId());
|
||||
}
|
||||
|
||||
public static List<ResourceTagJoinVO> listResourceTagViewByResourceUUID(String resourceUUID, ResourceObjectType resourceType) {
|
||||
|
|
|
|||
|
|
@ -777,7 +777,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
|||
Object keyword = cmd.getKeyword();
|
||||
boolean isAdmin = false;
|
||||
boolean isRootAdmin = false;
|
||||
if (_accountMgr.isAdmin(caller.getType())) {
|
||||
if (_accountMgr.isAdmin(caller.getId())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
if (_accountMgr.isRootAdmin(caller.getId())) {
|
||||
|
|
@ -1279,7 +1279,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
|||
sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct
|
||||
// ids
|
||||
|
||||
if (_accountMgr.isAdmin(caller.getType())) {
|
||||
if (_accountMgr.isAdmin(caller.getId())) {
|
||||
if (domainId != null) {
|
||||
DomainVO domain = _domainDao.findById(domainId);
|
||||
if (domain == null) {
|
||||
|
|
@ -1483,7 +1483,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
|||
|
||||
// verify permissions - only accounts belonging to the project can list
|
||||
// project's account
|
||||
if (!_accountMgr.isAdmin(caller.getType()) && _projectAccountDao.findByProjectIdAccountId(projectId, caller.getAccountId()) == null) {
|
||||
if (!_accountMgr.isAdmin(caller.getId()) && _projectAccountDao.findByProjectIdAccountId(projectId, caller.getAccountId()) == null) {
|
||||
throw new PermissionDeniedException("Account " + caller + " is not authorized to list users of the project id=" + projectId);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -302,7 +302,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
|
|||
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
boolean isAdmin = false;
|
||||
if ((caller == null) || _accountService.isAdmin(caller.getType())) {
|
||||
if ((caller == null) || _accountService.isAdmin(caller.getId())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1085,14 +1085,14 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
|||
}
|
||||
|
||||
// Only Admin can create Shared networks
|
||||
if (ntwkOff.getGuestType() == GuestType.Shared && !_accountMgr.isAdmin(caller.getType())) {
|
||||
if (ntwkOff.getGuestType() == GuestType.Shared && !_accountMgr.isAdmin(caller.getId())) {
|
||||
throw new InvalidParameterValueException("Only Admins can create network with guest type " + GuestType.Shared);
|
||||
}
|
||||
|
||||
// Check if the network is domain specific
|
||||
if (aclType == ACLType.Domain) {
|
||||
// only Admin can create domain with aclType=Domain
|
||||
if (!_accountMgr.isAdmin(caller.getType())) {
|
||||
if (!_accountMgr.isAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Only admin can create networks with aclType=Domain");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -458,7 +458,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
|||
List<ResourceLimitVO> limits = new ArrayList<ResourceLimitVO>();
|
||||
boolean isAccount = true;
|
||||
|
||||
if (!_accountMgr.isAdmin(caller.getType())) {
|
||||
if (!_accountMgr.isAdmin(caller.getId())) {
|
||||
accountId = caller.getId();
|
||||
domainId = null;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -769,7 +769,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
|
|||
|
||||
if (account != null) {
|
||||
long volAcctId = volume.getAccountId();
|
||||
if (_accountMgr.isAdmin(account.getType())) {
|
||||
if (_accountMgr.isAdmin(account.getId())) {
|
||||
Account userAccount = _accountDao.findById(Long.valueOf(volAcctId));
|
||||
if (!_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) {
|
||||
throw new PermissionDeniedException("Unable to list snapshot schedule for volume " + volumeId + ", permission denied.");
|
||||
|
|
|
|||
|
|
@ -320,7 +320,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
|||
private Long accountAndUserValidation(Account account, long userId, UserVmVO vmInstanceCheck, VMTemplateVO template, String msg) throws PermissionDeniedException {
|
||||
|
||||
if (account != null) {
|
||||
if (!_accountMgr.isAdmin(account.getType())) {
|
||||
if (!_accountMgr.isAdmin(account.getId())) {
|
||||
if ((vmInstanceCheck != null) && (account.getId() != vmInstanceCheck.getAccountId())) {
|
||||
throw new PermissionDeniedException(msg + ". Permission denied.");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1218,7 +1218,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
|||
throw new InvalidParameterValueException("unable to update permissions for " + mediaType + " with id " + id);
|
||||
}
|
||||
|
||||
boolean isAdmin = _accountMgr.isAdmin(caller.getType());
|
||||
boolean isAdmin = _accountMgr.isAdmin(caller.getId());
|
||||
// check configuration parameter(allow.public.user.templates) value for
|
||||
// the template owner
|
||||
boolean allowPublicUserTemplates = AllowPublicUserTemplates.valueIn(template.getAccountId());
|
||||
|
|
@ -1485,7 +1485,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
|||
Long userId = CallContext.current().getCallingUserId();
|
||||
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
boolean isAdmin = (_accountMgr.isAdmin(caller.getType()));
|
||||
boolean isAdmin = (_accountMgr.isAdmin(caller.getId()));
|
||||
|
||||
_accountMgr.checkAccess(caller, null, templateOwner);
|
||||
|
||||
|
|
|
|||
|
|
@ -353,9 +353,17 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
}
|
||||
|
||||
@Override
|
||||
public boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
public boolean isAdmin(Long accountId) {
|
||||
if (accountId != null) {
|
||||
AccountVO acct = _accountDao.findById(accountId);
|
||||
if ((isRootAdmin(accountId)) || (isDomainAdmin(accountId)) || (isResourceDomainAdmin(accountId))) {
|
||||
return true;
|
||||
} else if (acct.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -386,7 +394,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
try {
|
||||
if (checker.checkAccess(acct, null, null, "DomainCapability")) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
|
||||
s_logger.debug("DomainAdmin Access granted to " + acct + " by " + checker.getName());
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
|
@ -407,8 +415,23 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
return false;
|
||||
}
|
||||
|
||||
public boolean isResourceDomainAdmin(short accountType) {
|
||||
return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
|
||||
public boolean isResourceDomainAdmin(Long accountId) {
|
||||
if (accountId != null) {
|
||||
AccountVO acct = _accountDao.findById(accountId);
|
||||
for (SecurityChecker checker : _securityCheckers) {
|
||||
try {
|
||||
if (checker.checkAccess(acct, null, null, "DomainResourceCapability")) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName());
|
||||
}
|
||||
return true;
|
||||
}
|
||||
} catch (PermissionDeniedException ex) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
public boolean isInternalAccount(long accountId) {
|
||||
|
|
@ -476,7 +499,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
@Override
|
||||
public Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId) {
|
||||
// We just care for resource domain admin for now. He should be permitted to see only his zone.
|
||||
if (isResourceDomainAdmin(caller.getType())) {
|
||||
if (isResourceDomainAdmin(caller.getAccountId())) {
|
||||
if (zoneId == null)
|
||||
return getZoneIdForAccount(caller);
|
||||
else if (zoneId.compareTo(getZoneIdForAccount(caller)) != 0)
|
||||
|
|
@ -1661,7 +1684,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
return getAccount(project.getProjectAccountId());
|
||||
}
|
||||
|
||||
if (isAdmin(caller.getType()) && accountName != null && domainId != null) {
|
||||
if (isAdmin(caller.getId()) && accountName != null && domainId != null) {
|
||||
Domain domain = _domainMgr.getDomain(domainId);
|
||||
if (domain == null) {
|
||||
throw new InvalidParameterValueException("Unable to find the domain by id=" + domainId);
|
||||
|
|
@ -1674,7 +1697,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
checkAccess(caller, domain);
|
||||
|
||||
return owner;
|
||||
} else if (!isAdmin(caller.getType()) && accountName != null && domainId != null) {
|
||||
} else if (!isAdmin(caller.getId()) && accountName != null && domainId != null) {
|
||||
if (!accountName.equals(caller.getAccountName()) || domainId.longValue() != caller.getDomainId()) {
|
||||
throw new PermissionDeniedException("Can't create/list resources for account " + accountName + " in domain " + domainId + ", permission denied");
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -2075,7 +2075,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
|||
long vmId = cmd.getId();
|
||||
boolean expunge = cmd.getExpunge();
|
||||
|
||||
if (!_accountMgr.isAdmin(ctx.getCallingAccount().getType()) && expunge) {
|
||||
if (!_accountMgr.isAdmin(ctx.getCallingAccount().getId()) && expunge) {
|
||||
throw new PermissionDeniedException("Parameter " + ApiConstants.EXPUNGE + " can be passed by Admin only");
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -120,7 +120,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
|
|||
}
|
||||
|
||||
@Override
|
||||
public boolean isAdmin(short accountType) {
|
||||
public boolean isAdmin(Long accountId) {
|
||||
// TODO Auto-generated method stub
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ public class CreateIAMGroupCmd extends BaseAsyncCreateCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd {
|
|||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getId())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue