diff --git a/api/src/com/cloud/acl/SecurityChecker.java b/api/src/com/cloud/acl/SecurityChecker.java index 3d5c7c9d3a3..385defa20dd 100644 --- a/api/src/com/cloud/acl/SecurityChecker.java +++ b/api/src/com/cloud/acl/SecurityChecker.java @@ -39,7 +39,8 @@ public interface SecurityChecker extends Adapter { public enum AccessType { ListEntry, ModifyEntry, - ModifyProject + ModifyProject, + UseNetwork } /** * Checks if the account owns the object. diff --git a/api/src/com/cloud/api/commands/CreateLoadBalancerRuleCmd.java b/api/src/com/cloud/api/commands/CreateLoadBalancerRuleCmd.java index 0df27b21b07..43f40ef4b08 100644 --- a/api/src/com/cloud/api/commands/CreateLoadBalancerRuleCmd.java +++ b/api/src/com/cloud/api/commands/CreateLoadBalancerRuleCmd.java @@ -141,32 +141,41 @@ public class CreateLoadBalancerRuleCmd extends BaseAsyncCreateCmd /*implements Long zoneId = getZoneId(); if (zoneId == null) { - throw new InvalidParameterValueException("Either networkId or zoneId has to be specified"); + Long ipId = getSourceIpAddressId(); + if (ipId == null) { + throw new InvalidParameterValueException("Either networkId or zoneId or publicIpId has to be specified"); + } } - DataCenter zone = _configService.getZone(zoneId); - if (zone.getNetworkType() == NetworkType.Advanced) { - List networks = _networkService.getIsolatedNetworksOwnedByAccountInZone(getZoneId(), _accountService.getAccount(getEntityOwnerId())); - if (networks.size() == 0) { - String domain = _domainService.getDomain(getDomainId()).getName(); - throw new InvalidParameterValueException("Account name=" + getAccountName() + " domain=" + domain + " doesn't have virtual networks in zone=" + zone.getName()); - } - - if (networks.size() < 1) { - throw new InvalidParameterValueException("Account doesn't have any Isolated networks in the zone"); - } else if (networks.size() > 1) { - throw new InvalidParameterValueException("Account has more than one Isolated network in the zone"); - } - - return networks.get(0).getId(); - } else { - Network defaultGuestNetwork = _networkService.getExclusiveGuestNetwork(zoneId); - if (defaultGuestNetwork == null) { - throw new InvalidParameterValueException("Unable to find a default Guest network for account " + getAccountName() + " in domain id=" + getDomainId()); + if (zoneId != null) { + DataCenter zone = _configService.getZone(zoneId); + if (zone.getNetworkType() == NetworkType.Advanced) { + List networks = _networkService.getIsolatedNetworksOwnedByAccountInZone(getZoneId(), _accountService.getAccount(getEntityOwnerId())); + if (networks.size() == 0) { + String domain = _domainService.getDomain(getDomainId()).getName(); + throw new InvalidParameterValueException("Account name=" + getAccountName() + " domain=" + domain + " doesn't have virtual networks in zone=" + zone.getName()); + } + + if (networks.size() < 1) { + throw new InvalidParameterValueException("Account doesn't have any Isolated networks in the zone"); + } else if (networks.size() > 1) { + throw new InvalidParameterValueException("Account has more than one Isolated network in the zone"); + } + + return networks.get(0).getId(); } else { - return defaultGuestNetwork.getId(); + Network defaultGuestNetwork = _networkService.getExclusiveGuestNetwork(zoneId); + if (defaultGuestNetwork == null) { + throw new InvalidParameterValueException("Unable to find a default Guest network for account " + getAccountName() + " in domain id=" + getDomainId()); + } else { + return defaultGuestNetwork.getId(); + } } + } else { + IpAddress ipAddr = _networkService.getIp(publicIpId); + return ipAddr.getAssociatedWithNetworkId(); } + } public Integer getPublicPort() { diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 3f75a98746a..d06befeaafa 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -109,7 +109,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } return true; - } else if (entity instanceof Network) { + } else if (entity instanceof Network && accessType != null && accessType == AccessType.UseNetwork) { _networkMgr.checkNetworkPermissions(caller, (Network)entity); } else { if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { diff --git a/server/src/com/cloud/network/NetworkManagerImpl.java b/server/src/com/cloud/network/NetworkManagerImpl.java index cffa995a685..3e211219c49 100755 --- a/server/src/com/cloud/network/NetworkManagerImpl.java +++ b/server/src/com/cloud/network/NetworkManagerImpl.java @@ -43,6 +43,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; import com.cloud.acl.ControlledEntity.ACLType; +import com.cloud.acl.SecurityChecker.AccessType; import com.cloud.agent.AgentManager; import com.cloud.agent.Listener; import com.cloud.agent.api.AgentControlAnswer; @@ -931,8 +932,8 @@ public class NetworkManagerImpl implements NetworkManager, NetworkService, Manag } //check permissions - _accountMgr.checkAccess(caller, null, false, ipOwner, network); - _accountMgr.checkAccess(ipOwner, null, false, network); + _accountMgr.checkAccess(caller, null, false, ipOwner); + _accountMgr.checkAccess(ipOwner, AccessType.UseNetwork, false, network); DataCenter zone = _configMgr.getZone(network.getDataCenterId()); diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java index cff2e599897..44ba16a8c80 100755 --- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java +++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java @@ -627,7 +627,7 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesMa Network guestNetwork = _networkMgr.getNetwork(lb.getNetworkId()); NetworkOffering off = _configMgr.getNetworkOffering(guestNetwork.getNetworkOfferingId()); - if (ipAddressVo != null) { + if (ipAddressVo != null && off.getElasticLb()) { throw new InvalidParameterValueException("Can't specify ipAddressId when create LB in the network with LB capability " + Capability.ElasticLb.getName()); }