CLOUDSTACK-9875: Unable to re-apply Explicit dedication to VM (#2042)

Problem: When a VM is deployed with in an Affinity group which has the cluster dedicated to a subdomain (zone is dedicated to parent domain) it is getting successful. We can also stop the vm and remove the affinity group, but if you want to add back the affinity it is failing. Root cause: During VM deployment there is clear check on affinity type (account/domain). Here since the acl_type is "domain" it does not expect to be same owner for entities. But during update of affinity to VM there is no specific check for acl_type "domain". Solution: Fix is to make the access check similar to VM deployment where it does not expect to be same owner for entities if the acl_type is "domain".
2017-12-20 17:12:46 +05:30 · 2017-12-20 17:12:46 +05:30 · cd637fd05f
parent 13c325aad4
commit cd637fd05f
1 changed files with 17 additions and 6 deletions
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@ -449,12 +449,23 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
                throw new InvalidParameterValueException("Unable to find affinity group by id " + affinityGroupId);
            } else {
                // verify permissions
-                _accountMgr.checkAccess(caller, null, true, owner, ag);
-                // Root admin has access to both VM and AG by default, but make sure the
-                // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
-                    if (ag.getAccountId() != owner.getAccountId()) {
-                        throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
+                if (ag.getAclType() == ACLType.Domain) {
+                    _accountMgr.checkAccess(caller, null, false, owner, ag);
+                    // make sure the affinity group is available in that domain
+                    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
+                        if (!isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
+                            throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain");
+                        }
+                    }
+                } else {
+                    _accountMgr.checkAccess(caller, null, true, owner, ag);
+                    // Root admin has access to both VM and AG by default,
+                    // but
+                    // make sure the owner of these entities is same
+                    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
+                        if (ag.getAccountId() != owner.getAccountId()) {
+                            throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account");
+                        }
                    }
                }
            }