diff --git a/api/src/com/cloud/network/NetworkModel.java b/api/src/com/cloud/network/NetworkModel.java index f6555db565e..1e0a8e88e48 100644 --- a/api/src/com/cloud/network/NetworkModel.java +++ b/api/src/com/cloud/network/NetworkModel.java @@ -22,6 +22,8 @@ import java.util.List; import java.util.Map; import java.util.Set; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -273,4 +275,6 @@ public interface NetworkModel { boolean isNetworkReadyForGc(long networkId); boolean getNetworkEgressDefaultPolicy(Long networkId); + + void checkNetworkPermissions(Account owner, Network network, AccessType accessType); } \ No newline at end of file diff --git a/engine/schema/src/com/cloud/network/dao/NetworkVO.java b/engine/schema/src/com/cloud/network/dao/NetworkVO.java index f1d7e7efba9..6bb39023949 100644 --- a/engine/schema/src/com/cloud/network/dao/NetworkVO.java +++ b/engine/schema/src/com/cloud/network/dao/NetworkVO.java @@ -513,7 +513,7 @@ public class NetworkVO implements Network { @Override public String toString() { StringBuilder buf = new StringBuilder("Ntwk["); - buf.append(id).append("|").append(trafficType).append("|").append(networkOfferingId).append("]"); + buf.append(uuid).append("|").append(trafficType).append("|").append(networkOfferingId).append("]"); return buf.toString(); } diff --git a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java index f34eaccbb06..acd9b4e86f0 100644 --- a/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java +++ b/plugins/network-elements/juniper-contrail/src/org/apache/cloudstack/network/contrail/management/ServiceManagerImpl.java @@ -30,6 +30,7 @@ import javax.inject.Inject; import net.juniper.contrail.api.ApiConnector; import net.juniper.contrail.api.types.ServiceInstance; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.context.CallContext; import org.apache.cloudstack.network.contrail.api.response.ServiceInstanceResponse; import org.apache.cloudstack.network.contrail.model.ServiceInstanceModel; @@ -136,10 +137,10 @@ public class ServiceManagerImpl implements ServiceManager { // TODO: permission model. // service instances need to be able to access the public network. if (left.getTrafficType() == TrafficType.Guest) { - _networkModel.checkNetworkPermissions(owner, left); + _networkModel.checkNetworkPermissions(owner, left, AccessType.UseEntry); } if (right.getTrafficType() == TrafficType.Guest) { - _networkModel.checkNetworkPermissions(owner, right); + _networkModel.checkNetworkPermissions(owner, right, AccessType.UseEntry); } final ApiConnector api = _manager.getApiConnector(); diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java index 7b4b2bebdb2..531cf94f551 100755 --- a/server/src/com/cloud/network/NetworkModelImpl.java +++ b/server/src/com/cloud/network/NetworkModelImpl.java @@ -35,6 +35,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.ControlledEntity.ACLType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; import org.apache.cloudstack.lb.dao.ApplicationLoadBalancerRuleDao; @@ -97,6 +98,7 @@ import com.cloud.offerings.dao.NetworkOfferingServiceMapDao; import com.cloud.projects.dao.ProjectAccountDao; import com.cloud.server.ConfigurationServer; import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.user.AccountVO; import com.cloud.user.DomainManager; import com.cloud.user.dao.AccountDao; @@ -173,7 +175,8 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { FirewallRulesDao _firewallDao; @Inject DomainManager _domainMgr; - + @Inject + AccountManager _accountMgr; @Inject NetworkOfferingServiceMapDao _ntwkOfferingSrvcDao; @Inject @@ -1566,6 +1569,27 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { } } + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + if (network == null) { + throw new CloudRuntimeException("cannot check permissions on (Network) "); + } + + AccountVO networkOwner = _accountDao.findById(network.getAccountId()); + if (networkOwner == null) { + throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() + + ", network does not have an owner"); + } + if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT && networkOwner.getType() == Account.ACCOUNT_TYPE_PROJECT) { + if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), network.getAccountId())) { + throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() + + ", permission denied"); + } + } else { + _accountMgr.checkAccess(owner, accessType, true, network); + } + } + @Override public String getDefaultPublicTrafficLabel(long dcId, HypervisorType hypervisorType) { try { diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index 7431891e8e1..5d2f1ae4204 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -2756,6 +2756,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe cmdList.add(ListIpForwardingRulesCmd.class); cmdList.add(CreateNetworkACLCmd.class); cmdList.add(CreateNetworkCmd.class); + cmdList.add(CreateNetworkCmdByAdmin.class); cmdList.add(DeleteNetworkACLCmd.class); cmdList.add(DeleteNetworkCmd.class); cmdList.add(ListNetworkACLsCmd.class); diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index a1dd6c981cc..62f4a535c00 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -972,12 +972,6 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("unable to find a network with id " + networkId); } - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) - && !(network.getAclType() == ACLType.Account && network.getAccountId() == vmInstance.getAccountId())) { - throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vmId: " + vmId); - } - } List allNics = _nicDao.listByVmId(vmInstance.getId()); for (NicVO nic : allNics) { @@ -2527,7 +2521,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } } - _networkModel.checkNetworkPermissions(owner, network); + _networkModel.checkNetworkPermissions(owner, network, AccessType.UseEntry); // don't allow to use system networks NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId()); @@ -2726,13 +2720,8 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw new InvalidParameterValueException("Network id=" + network.getId() + " doesn't belong to zone " + zone.getId()); } - //relax the check if the caller is admin account - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { - if (!(network.getGuestType() == Network.GuestType.Shared && network.getAclType() == ACLType.Domain) - && !(network.getAclType() == ACLType.Account && network.getAccountId() == accountId)) { - throw new InvalidParameterValueException("only shared network or isolated network with the same account_id can be added to vm"); - } - } + // Perform account permission check on network + _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); IpAddresses requestedIpPair = null; if (requestedIps != null && !requestedIps.isEmpty()) { @@ -4441,7 +4430,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir throw ex; } - _networkModel.checkNetworkPermissions(newAccount, network); + _networkModel.checkNetworkPermissions(newAccount, network, AccessType.UseEntry); // don't allow to use system networks NetworkOffering networkOffering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId()); diff --git a/server/test/com/cloud/network/MockNetworkModelImpl.java b/server/test/com/cloud/network/MockNetworkModelImpl.java index 6c9e597b9f3..33387fae646 100644 --- a/server/test/com/cloud/network/MockNetworkModelImpl.java +++ b/server/test/com/cloud/network/MockNetworkModelImpl.java @@ -25,6 +25,8 @@ import java.util.Set; import javax.ejb.Local; import javax.naming.ConfigurationException; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -878,4 +880,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } + + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + // TODO Auto-generated method stub + + } } diff --git a/server/test/com/cloud/vpc/MockNetworkModelImpl.java b/server/test/com/cloud/vpc/MockNetworkModelImpl.java index 67ab8e875cb..c93584dbe31 100644 --- a/server/test/com/cloud/vpc/MockNetworkModelImpl.java +++ b/server/test/com/cloud/vpc/MockNetworkModelImpl.java @@ -26,6 +26,8 @@ import javax.ejb.Local; import javax.inject.Inject; import javax.naming.ConfigurationException; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + import com.cloud.dc.Vlan; import com.cloud.exception.InsufficientAddressCapacityException; import com.cloud.exception.InvalidParameterValueException; @@ -893,4 +895,10 @@ public class MockNetworkModelImpl extends ManagerBase implements NetworkModel { public boolean getNetworkEgressDefaultPolicy(Long networkId) { return false; //To change body of implemented methods use File | Settings | File Templates. } + + @Override + public void checkNetworkPermissions(Account owner, Network network, AccessType accessType) { + // TODO Auto-generated method stub + + } } diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java index 5d35ee27943..3dfcddad095 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/IAMApiServiceImpl.java @@ -363,10 +363,10 @@ public class IAMApiServiceImpl extends ManagerBase implements IAMApiService, Man Boolean isRecursive = (Boolean) params.get(ApiConstants.SUBDOMAIN_ACCESS); if (entityType == Network.class) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.toString(), + createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide network", entityType.getSimpleName(), entityId, "listNetworks", AccessType.UseEntry, domainId, isRecursive); } else if (entityType == AffinityGroup.class) { - createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.toString(), + createPolicyAndAddToDomainGroup("DomainWideNetwork-" + entityId, "domain wide affinityGroup", entityType.getSimpleName(), entityId, "listAffinityGroups", AccessType.UseEntry, domainId, isRecursive); }