etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

allow filtering of listDiskOffering and listServiceOffering APIs by account or project (#7082)

This commit is contained in:
Rodrigo D. Lopez 2023-11-28 10:50:37 -03:00 committed by GitHub
parent 8f39087377
commit 956efb27d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/main/java/org/apache/cloudstack/api/command/user/offering/ListDiskOfferingsCmd.java
View File

@ -16,6 +16,7 @@
// under the License. // under the License.
package org.apache.cloudstack.api.command.user.offering; package org.apache.cloudstack.api.command.user.offering;
import org.apache.cloudstack.api.BaseListProjectAndAccountResourcesCmd;
import org.apache.cloudstack.api.response.StoragePoolResponse; import org.apache.cloudstack.api.response.StoragePoolResponse;
import org.apache.cloudstack.api.response.VolumeResponse; import org.apache.cloudstack.api.response.VolumeResponse;
import org.apache.cloudstack.api.response.ZoneResponse; import org.apache.cloudstack.api.response.ZoneResponse;
@ -23,14 +24,13 @@ import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.DiskOfferingResponse; import org.apache.cloudstack.api.response.DiskOfferingResponse;
import org.apache.cloudstack.api.response.ListResponse; import org.apache.cloudstack.api.response.ListResponse;
@APICommand(name = "listDiskOfferings", description = "Lists all available disk offerings.", responseObject = DiskOfferingResponse.class, @APICommand(name = "listDiskOfferings", description = "Lists all available disk offerings.", responseObject = DiskOfferingResponse.class,
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class ListDiskOfferingsCmd extends BaseListDomainResourcesCmd { public class ListDiskOfferingsCmd extends BaseListProjectAndAccountResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListDiskOfferingsCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(ListDiskOfferingsCmd.class.getName());

4
api/src/main/java/org/apache/cloudstack/api/command/user/offering/ListServiceOfferingsCmd.java
View File

@ -16,12 +16,12 @@
// under the License. // under the License.
package org.apache.cloudstack.api.command.user.offering; package org.apache.cloudstack.api.command.user.offering;
import org.apache.cloudstack.api.BaseListProjectAndAccountResourcesCmd;
import org.apache.cloudstack.api.response.ZoneResponse; import org.apache.cloudstack.api.response.ZoneResponse;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseListDomainResourcesCmd;
import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.Parameter;
import org.apache.cloudstack.api.response.ListResponse; import org.apache.cloudstack.api.response.ListResponse;
import org.apache.cloudstack.api.response.ServiceOfferingResponse; import org.apache.cloudstack.api.response.ServiceOfferingResponse;
@ -29,7 +29,7 @@ import org.apache.cloudstack.api.response.UserVmResponse;
@APICommand(name = "listServiceOfferings", description = "Lists all available service offerings.", responseObject = ServiceOfferingResponse.class, @APICommand(name = "listServiceOfferings", description = "Lists all available service offerings.", responseObject = ServiceOfferingResponse.class,
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class ListServiceOfferingsCmd extends BaseListDomainResourcesCmd { public class ListServiceOfferingsCmd extends BaseListProjectAndAccountResourcesCmd {
public static final Logger s_logger = Logger.getLogger(ListServiceOfferingsCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(ListServiceOfferingsCmd.class.getName());

35
server/src/main/java/com/cloud/api/query/QueryManagerImpl.java
View File

@ -2929,6 +2929,8 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
Object id = cmd.getId(); Object id = cmd.getId();
Object keyword = cmd.getKeyword(); Object keyword = cmd.getKeyword();
Long domainId = cmd.getDomainId(); Long domainId = cmd.getDomainId();
Long projectId = cmd.getProjectId();
String accountName = cmd.getAccountName();
Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId()); Boolean isRootAdmin = _accountMgr.isRootAdmin(account.getAccountId());
Boolean isRecursive = cmd.isRecursive(); Boolean isRecursive = cmd.isRecursive();
Long zoneId = cmd.getZoneId(); Long zoneId = cmd.getZoneId();
@ -2938,7 +2940,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
// Keeping this logic consistent with domain specific zones // Keeping this logic consistent with domain specific zones
// if a domainId is provided, we just return the disk offering // if a domainId is provided, we just return the disk offering
// associated with this domain // associated with this domain
if (domainId != null) { if (domainId != null && accountName == null) {
if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) { if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
// check if the user's domain == do's domain || user's domain is // check if the user's domain == do's domain || user's domain is
// a child of so's domain for non-root users // a child of so's domain for non-root users
@ -3019,9 +3021,9 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
// Filter offerings that are not associated with caller's domain // Filter offerings that are not associated with caller's domain
// Fetch the offering ids from the details table since theres no smart way to filter them in the join ... yet! // Fetch the offering ids from the details table since theres no smart way to filter them in the join ... yet!
Account caller = CallContext.current().getCallingAccount(); account = _accountMgr.finalizeOwner(account, accountName, domainId, projectId);
if (caller.getType() != Account.Type.ADMIN) { if (!Account.Type.ADMIN.equals(account.getType())) {
Domain callerDomain = _domainDao.findById(caller.getDomainId()); Domain callerDomain = _domainDao.findById(account.getDomainId());
List<Long> domainIds = findRelatedDomainIds(callerDomain, isRecursive); List<Long> domainIds = findRelatedDomainIds(callerDomain, isRecursive);
List<Long> ids = _diskOfferingDetailsDao.findOfferingIdsByDomainIds(domainIds); List<Long> ids = _diskOfferingDetailsDao.findOfferingIdsByDomainIds(domainIds);
@ -3100,6 +3102,8 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
searchFilter.addOrderBy(ServiceOfferingJoinVO.class, "id", true); searchFilter.addOrderBy(ServiceOfferingJoinVO.class, "id", true);
Account caller = CallContext.current().getCallingAccount(); Account caller = CallContext.current().getCallingAccount();
Long projectId = cmd.getProjectId();
String accountName = cmd.getAccountName();
Object name = cmd.getServiceOfferingName(); Object name = cmd.getServiceOfferingName();
Object id = cmd.getId(); Object id = cmd.getId();
Object keyword = cmd.getKeyword(); Object keyword = cmd.getKeyword();
@ -3115,9 +3119,10 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
Integer cpuSpeed = cmd.getCpuSpeed(); Integer cpuSpeed = cmd.getCpuSpeed();
Boolean encryptRoot = cmd.getEncryptRoot(); Boolean encryptRoot = cmd.getEncryptRoot();
final Account owner = _accountMgr.finalizeOwner(caller, accountName, domainId, projectId);
SearchCriteria<ServiceOfferingJoinVO> sc = _srvOfferingJoinDao.createSearchCriteria(); SearchCriteria<ServiceOfferingJoinVO> sc = _srvOfferingJoinDao.createSearchCriteria();
if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) { if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
throw new InvalidParameterValueException("Only ROOT admins can access system's offering"); throw new InvalidParameterValueException("Only ROOT admins can access system offerings.");
} }
// Keeping this logic consistent with domain specific zones // Keeping this logic consistent with domain specific zones
@ -3126,8 +3131,8 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) { if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
// check if the user's domain == so's domain || user's domain is a // check if the user's domain == so's domain || user's domain is a
// child of so's domain // child of so's domain
if (!isPermissible(caller.getDomainId(), domainId)) { if (!isPermissible(owner.getDomainId(), domainId)) {
throw new PermissionDeniedException("The account:" + caller.getAccountName() + " does not fall in the same domain hierarchy as the service offering"); throw new PermissionDeniedException("The account:" + owner.getAccountName() + " does not fall in the same domain hierarchy as the service offering");
} }
} }
@ -3139,7 +3144,7 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
throw ex; throw ex;
} }
_accountMgr.checkAccess(caller, null, true, vmInstance); _accountMgr.checkAccess(owner, null, true, vmInstance);
currentVmOffering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId()); currentVmOffering = _srvOfferingDao.findByIdIncludingRemoved(vmInstance.getId(), vmInstance.getServiceOfferingId());
if (! currentVmOffering.isDynamic()) { if (! currentVmOffering.isDynamic()) {
@ -3187,22 +3192,22 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
} }
// boolean includePublicOfferings = false; // boolean includePublicOfferings = false;
if ((_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId())) || caller.getType() == Account.Type.RESOURCE_DOMAIN_ADMIN) { if ((_accountMgr.isNormalUser(owner.getId()) || _accountMgr.isDomainAdmin(owner.getId())) || owner.getType() == Account.Type.RESOURCE_DOMAIN_ADMIN) {
// For non-root users. // For non-root users.
if (isSystem) { if (isSystem) {
throw new InvalidParameterValueException("Only root admins can access system's offering"); throw new InvalidParameterValueException("Only root admins can access system's offering");
} }
if (isRecursive) { // domain + all sub-domains if (isRecursive) { // domain + all sub-domains
if (caller.getType() == Account.Type.NORMAL) { if (owner.getType() == Account.Type.NORMAL) {
throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list service offerings with isrecursive=true"); throw new InvalidParameterValueException("Only ROOT admins and Domain admins can list service offerings with isrecursive=true");
} }
} }
} else { } else {
// for root users // for root users
if (caller.getDomainId() != 1 && isSystem) { // NON ROOT admin if (owner.getDomainId() != 1 && isSystem) { // NON ROOT admin
throw new InvalidParameterValueException("Non ROOT admins cannot access system's offering"); throw new InvalidParameterValueException("Non ROOT admins cannot access system's offering.");
} }
if (domainId != null) { if (domainId != null && accountName == null) {
sc.addAnd("domainId", Op.FIND_IN_SET, String.valueOf(domainId)); sc.addAnd("domainId", Op.FIND_IN_SET, String.valueOf(domainId));
} }
} }
@ -3286,8 +3291,8 @@ public class QueryManagerImpl extends MutualExclusiveIdsManagerBase implements Q
// Filter offerings that are not associated with caller's domain // Filter offerings that are not associated with caller's domain
// Fetch the offering ids from the details table since theres no smart way to filter them in the join ... yet! // Fetch the offering ids from the details table since theres no smart way to filter them in the join ... yet!
if (caller.getType() != Account.Type.ADMIN) { if (owner.getType() != Account.Type.ADMIN) {
Domain callerDomain = _domainDao.findById(caller.getDomainId()); Domain callerDomain = _domainDao.findById(owner.getDomainId());
List<Long> domainIds = findRelatedDomainIds(callerDomain, isRecursive); List<Long> domainIds = findRelatedDomainIds(callerDomain, isRecursive);
List<Long> ids = _srvOfferingDetailsDao.findOfferingIdsByDomainIds(domainIds); List<Long> ids = _srvOfferingDetailsDao.findOfferingIdsByDomainIds(domainIds);