etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-6581: IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. 

Changes:
- Strict access check in NetworkModel is needed as CS 4.3
- We cannot go through accountMgr since accountMgr is relaxed for rootAdmin
This commit is contained in:
Prachi Damle 2014-05-06 15:58:05 -07:00 committed by Daan Hoogland
parent 8985b8badc
commit 95efad359e
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
View File

@ -74,6 +74,7 @@
<bean id="networkModelImpl" class="com.cloud.network.NetworkModelImpl">
<property name="networkElements" value="#{networkElementsRegistry.registered}" />
<property name="securityCheckers" value="#{securityCheckersRegistry.registered}" />
</bean>
<bean id="configurationServerImpl" class="com.cloud.server.ConfigurationServerImpl" />

21
server/src/com/cloud/network/NetworkModelImpl.java
View File

@ -34,6 +34,7 @@ import javax.naming.ConfigurationException;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.SecurityChecker;
import org.apache.cloudstack.acl.ControlledEntity.ACLType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@ -219,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>();
static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>();
List<SecurityChecker> _securityCheckers;
public List<SecurityChecker> getSecurityCheckers() {
return _securityCheckers;
}
public void setSecurityCheckers(List<SecurityChecker> securityCheckers) {
_securityCheckers = securityCheckers;
}
/**
*
*/
@ -1586,7 +1597,15 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel {
+ ", permission denied");
}
} else {
_accountMgr.checkAccess(owner, accessType, network);
// Go through IAM (SecurityCheckers)
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(owner, accessType, null, network)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName());
}
break;
}
}
}
}