mirror of https://github.com/apache/cloudstack.git
bug 8710: CONTD....Introducing a new user role in cloudstack called RESOURCE_DOMAIN_ADMIN. The role would have all the domain_admin rights and the rights to list zone,pods,clusters and so on. More info in the bug
This commit is contained in:
nit
parent
782a22d95f
commit
debe236a8d
|
|
@ -543,6 +543,7 @@ public abstract class BaseCmd {
|
|||
|
||||
public static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ import java.util.Set;
|
|||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.cloud.api.ApiConstants;
|
||||
import com.cloud.api.BaseCmd;
|
||||
import com.cloud.api.BaseListCmd;
|
||||
import com.cloud.api.Implementation;
|
||||
import com.cloud.api.Parameter;
|
||||
|
|
@ -155,7 +156,7 @@ public class ListIsosCmd extends BaseListCmd {
|
|||
|
||||
boolean isAdmin = false;
|
||||
Account account = UserContext.current().getCaller();
|
||||
if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
if ((account == null) || BaseCmd.isAdmin(account.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ import java.util.Set;
|
|||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.cloud.api.ApiConstants;
|
||||
import com.cloud.api.BaseCmd;
|
||||
import com.cloud.api.BaseListCmd;
|
||||
import com.cloud.api.Implementation;
|
||||
import com.cloud.api.Parameter;
|
||||
|
|
@ -124,7 +125,7 @@ public class ListTemplatesCmd extends BaseListCmd {
|
|||
|
||||
boolean isAdmin = false;
|
||||
Account account = UserContext.current().getCaller();
|
||||
if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
if ((account == null) || BaseCmd.isAdmin(account.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -122,7 +122,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
|||
}
|
||||
//if account is normal user or domain admin
|
||||
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
|
||||
else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
|
||||
else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
|
||||
{
|
||||
if(account.getDomainId() == dof.getDomainId())
|
||||
{
|
||||
|
|
@ -170,7 +170,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
|||
}
|
||||
//if account is normal user or domain admin
|
||||
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
|
||||
else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
|
||||
else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
|
||||
{
|
||||
if(account.getDomainId() == so.getDomainId())
|
||||
{
|
||||
|
|
|
|||
|
|
@ -795,6 +795,8 @@ public class AgentManagerImpl implements AgentManager, HandlerFactory, ResourceS
|
|||
String hostTag = cmd.getHostTag();
|
||||
Map<String, String>bareMetalParams = new HashMap<String, String>();
|
||||
|
||||
dcId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), dcId);
|
||||
|
||||
// this is for standalone option
|
||||
if (clusterName == null && clusterId == null) {
|
||||
clusterName = "Standalone-" + url;
|
||||
|
|
@ -1303,7 +1305,7 @@ public class AgentManagerImpl implements AgentManager, HandlerFactory, ResourceS
|
|||
throw new InvalidParameterValueException("Host with id "
|
||||
+ id.toString() + " doesn't exist");
|
||||
}
|
||||
|
||||
_accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), host.getDataCenterId());
|
||||
return deleteHost(id);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1743,7 +1743,7 @@ public class ApiResponseHelper implements ResponseGenerator {
|
|||
// set status
|
||||
Account account = UserContext.current().getCaller();
|
||||
boolean isAdmin = false;
|
||||
if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
if ((account == null) || BaseCmd.isAdmin(account.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
|
@ -1815,7 +1815,7 @@ public class ApiResponseHelper implements ResponseGenerator {
|
|||
// set status
|
||||
Account account = UserContext.current().getCaller();
|
||||
boolean isAdmin = false;
|
||||
if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
if ((account == null) || BaseCmd.isAdmin(account.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -654,8 +654,8 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesManager,
|
|||
Pair<String, Long> accountDomainPair = _accountMgr.finalizeAccountDomainForList(caller, cmd.getAccountName(), cmd.getDomainId());
|
||||
String accountName = accountDomainPair.first();
|
||||
Long domainId = accountDomainPair.second();
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
Domain domain = _accountMgr.getDomain(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
|
|||
2
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
Normal file → Executable file
2
server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java
Normal file → Executable file
|
|
@ -693,7 +693,7 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian
|
|||
}
|
||||
|
||||
public static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -623,7 +623,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
|
|||
_accountMgr.checkAccess(caller, ipAddressVO);
|
||||
}
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
Domain domain = _accountMgr.getDomain(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
@ -835,7 +835,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager {
|
|||
_accountMgr.checkAccess(caller, ipAddressVO);
|
||||
}
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
Domain domain = _accountMgr.getDomain(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -746,6 +746,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
|
|||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
@ -760,7 +761,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG
|
|||
|
||||
Account account = UserContext.current().getCaller();
|
||||
if (account != null) {
|
||||
if ((account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
if (isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
if (!_domainDao.isChildDomain(account.getDomainId(), domainId)) {
|
||||
throw new PermissionDeniedException("Unable to create security group in domain " + domainId + ", permission denied.");
|
||||
|
|
|
|||
|
|
@ -416,7 +416,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
|
|||
Long domainId = accountDomainPair.second();
|
||||
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
Domain domain = _accountMgr.getDomain(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
@ -477,7 +477,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag
|
|||
String accountName = accountDomainPair.first();
|
||||
Long domainId = accountDomainPair.second();
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
Domain domain = _accountMgr.getDomain(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -756,7 +756,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
//add all public zones too
|
||||
dcs.addAll(_dcDao.listPublicZones());
|
||||
removeDisabledZones = true;
|
||||
}else if(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){
|
||||
}else if(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){
|
||||
//it was decided to return all zones for the domain admin, and everything above till root
|
||||
dcs = new ArrayList<DataCenterVO>();
|
||||
DomainVO domainRecord = _domainDao.findById(account.getDomainId());
|
||||
|
|
@ -1058,7 +1058,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
}
|
||||
|
||||
//For non-root users
|
||||
if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)){
|
||||
if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){
|
||||
return searchServiceOfferingsInternal(account, name, id, vmId, keyword, searchFilter);
|
||||
}
|
||||
|
||||
|
|
@ -1191,10 +1191,12 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Object id = cmd.getId();
|
||||
Object name = cmd.getClusterName();
|
||||
Object podId = cmd.getPodId();
|
||||
Object zoneId = cmd.getZoneId();
|
||||
Long zoneId = cmd.getZoneId();
|
||||
Object hypervisorType = cmd.getHypervisorType();
|
||||
Object clusterType = cmd.getClusterType();
|
||||
Object allocationState = cmd.getAllocationState();
|
||||
|
||||
zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId);
|
||||
|
||||
if (id != null) {
|
||||
sc.addAnd("id", SearchCriteria.Op.EQ, id);
|
||||
|
|
@ -1229,17 +1231,18 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
|
||||
@Override
|
||||
public List<HostVO> searchForServers(ListHostsCmd cmd) {
|
||||
|
||||
Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId());
|
||||
Object name = cmd.getHostName();
|
||||
Object type = cmd.getType();
|
||||
Object state = cmd.getState();
|
||||
Object zone = cmd.getZoneId();
|
||||
Object state = cmd.getState();
|
||||
Object pod = cmd.getPodId();
|
||||
Object cluster = cmd.getClusterId();
|
||||
Object id = cmd.getId();
|
||||
Object keyword = cmd.getKeyword();
|
||||
Object allocationState = cmd.getAllocationState();
|
||||
|
||||
return searchForServers(cmd.getStartIndex(), cmd.getPageSizeVal(), name, type, state, zone, pod, cluster, id, keyword, allocationState);
|
||||
return searchForServers(cmd.getStartIndex(), cmd.getPageSizeVal(), name, type, state, zoneId, pod, cluster, id, keyword, allocationState);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -1364,6 +1367,8 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Long zoneId = cmd.getZoneId();
|
||||
Object keyword = cmd.getKeyword();
|
||||
Object allocationState = cmd.getAllocationState();
|
||||
|
||||
zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId);
|
||||
|
||||
if (keyword != null) {
|
||||
SearchCriteria<HostPodVO> ssc = _hostPodDao.createSearchCriteria();
|
||||
|
|
@ -2005,20 +2010,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
}
|
||||
|
||||
//do a permission check
|
||||
if (account != null) {
|
||||
Long templateOwner = template.getAccountId();
|
||||
if (!BaseCmd.isAdmin(account.getType())) {
|
||||
if ((templateOwner == null) || (account.getId() != templateOwner.longValue())) {
|
||||
throw new PermissionDeniedException("Unable to modify template/iso with id " + id + ", permission denied.");
|
||||
}
|
||||
} else if (account.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
Long templateOwnerDomainId = findDomainIdByAccountId(templateOwner);
|
||||
if (!isChildDomain(account.getDomainId(), templateOwnerDomainId)) {
|
||||
throw new PermissionDeniedException("Unable to modify template/iso with id " + id + ", permission denied");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
_accountMgr.checkAccess(account, template);
|
||||
|
||||
boolean updateNeeded = !(name == null && displayText == null && format == null && guestOSId == null && passwordEnabled == null && bootable == null);
|
||||
if (!updateNeeded) {
|
||||
|
|
@ -2876,7 +2868,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Account account = UserContext.current().getCaller();
|
||||
String path = null;
|
||||
|
||||
if (account != null && account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
|
||||
DomainVO domain = _domainDao.findById(account.getDomainId());
|
||||
if (domain != null) {
|
||||
path = domain.getPath();
|
||||
|
|
@ -3218,10 +3210,13 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Object type = cmd.getType();
|
||||
Object keyword = cmd.getKeyword();
|
||||
|
||||
|
||||
Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), null);
|
||||
if (id != null) {
|
||||
sc.addAnd("id", SearchCriteria.Op.EQ, id);
|
||||
}
|
||||
if (zoneId != null){
|
||||
sc.addAnd("data_center_id", SearchCriteria.Op.EQ, zoneId);
|
||||
}
|
||||
|
||||
if (keyword != null) {
|
||||
SearchCriteria<AlertVO> ssc = _alertDao.createSearchCriteria();
|
||||
|
|
@ -3248,6 +3243,8 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Long zoneId = cmd.getZoneId();
|
||||
Long podId = cmd.getPodId();
|
||||
Long hostId = cmd.getHostId();
|
||||
|
||||
zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId);
|
||||
|
||||
if (type != null) {
|
||||
sc.addAnd("capacityType", SearchCriteria.Op.EQ, type);
|
||||
|
|
@ -3315,6 +3312,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
|
||||
public static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
@ -3366,17 +3364,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
}
|
||||
}
|
||||
|
||||
if (account != null)
|
||||
{
|
||||
if (!isAdmin(account.getType()) && (template.getAccountId() != account.getId())) {
|
||||
throw new PermissionDeniedException("unable to update permissions for " + mediaType + " with id " + id);
|
||||
} else if (account.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
Long templateOwnerDomainId = findDomainIdByAccountId(template.getAccountId());
|
||||
if (!isChildDomain(account.getDomainId(), templateOwnerDomainId)) {
|
||||
throw new PermissionDeniedException("Unable to update permissions for " + mediaType + " with id " + id);
|
||||
}
|
||||
}
|
||||
}
|
||||
_accountMgr.checkAccess(account, template);
|
||||
|
||||
// If command is executed via 8096 port, set userId to the id of System account (1)
|
||||
if (userId == null) {
|
||||
|
|
@ -3510,7 +3498,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
if (accountId != null && !template.isPublicTemplate()) {
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL && template.getAccountId() != accountId) {
|
||||
throw new PermissionDeniedException("unable to list permissions for " + cmd.getMediaType() + " with id " + id);
|
||||
} else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
} else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
DomainVO accountDomain = _domainDao.findById(account.getDomainId());
|
||||
Account templateAccount = _accountDao.findById(template.getAccountId());
|
||||
DomainVO templateDomain = _domainDao.findById(templateAccount.getDomainId());
|
||||
|
|
@ -3633,7 +3621,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
}
|
||||
|
||||
//For non-root users
|
||||
if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)){
|
||||
if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){
|
||||
return searchDiskOfferingsInternal(account, name, id, keyword, searchFilter);
|
||||
}
|
||||
|
||||
|
|
@ -3835,6 +3823,8 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
|
||||
@Override
|
||||
public List<? extends StoragePoolVO> searchForStoragePools(ListStoragePoolsCmd cmd) {
|
||||
|
||||
Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId());
|
||||
Criteria c = new Criteria("id", Boolean.TRUE, cmd.getStartIndex(), cmd.getPageSizeVal());
|
||||
c.addCriteria(Criteria.ID, cmd.getId());
|
||||
c.addCriteria(Criteria.NAME, cmd.getStoragePoolName());
|
||||
|
|
@ -3843,7 +3833,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
c.addCriteria(Criteria.KEYWORD, cmd.getKeyword());
|
||||
c.addCriteria(Criteria.PATH, cmd.getPath());
|
||||
c.addCriteria(Criteria.PODID, cmd.getPodId());
|
||||
c.addCriteria(Criteria.DATACENTERID, cmd.getZoneId());
|
||||
c.addCriteria(Criteria.DATACENTERID, zoneId);
|
||||
|
||||
return searchForStoragePools(c);
|
||||
}
|
||||
|
|
@ -4050,10 +4040,11 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
@Override @SuppressWarnings({"unchecked", "rawtypes"})
|
||||
public List<? extends VMInstanceVO> searchForSystemVm(ListSystemVMsCmd cmd) {
|
||||
Criteria c = new Criteria("id", Boolean.TRUE, cmd.getStartIndex(), cmd.getPageSizeVal());
|
||||
Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId());
|
||||
|
||||
c.addCriteria(Criteria.KEYWORD, cmd.getKeyword());
|
||||
c.addCriteria(Criteria.ID, cmd.getId());
|
||||
c.addCriteria(Criteria.DATACENTERID, cmd.getZoneId());
|
||||
c.addCriteria(Criteria.DATACENTERID, zoneId);
|
||||
c.addCriteria(Criteria.PODID, cmd.getPodId());
|
||||
c.addCriteria(Criteria.HOSTID, cmd.getHostId());
|
||||
c.addCriteria(Criteria.NAME, cmd.getSystemVmName());
|
||||
|
|
@ -4853,20 +4844,8 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
Account caller = UserContext.current().getCaller();
|
||||
String accountName = cmd.getAccountName();
|
||||
Long domainId = cmd.getDomainId();
|
||||
Account owner = null;
|
||||
|
||||
if (accountName != null) {
|
||||
if (domainId != null) {
|
||||
owner = _accountMgr.getActiveAccount(accountName, domainId);
|
||||
} else {
|
||||
throw new InvalidParameterValueException("DomainId has to be specified along with account");
|
||||
}
|
||||
|
||||
//check account permissions
|
||||
_accountMgr.checkAccess(caller, owner);
|
||||
} else {
|
||||
owner = caller;
|
||||
}
|
||||
Account owner = null;
|
||||
_accountMgr.finalizeOwner(caller, accountName, domainId);
|
||||
|
||||
SSHKeyPairVO s = _sshKeyPairDao.findByName(owner.getAccountId(), owner.getDomainId(), cmd.getName());
|
||||
if (s == null) {
|
||||
|
|
@ -4888,7 +4867,7 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
|
||||
accountId = caller.getId();
|
||||
domainId = caller.getDomainId();
|
||||
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
DomainVO domain = _domainDao.findById(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2258,6 +2258,7 @@ public class StorageManagerImpl implements StorageManager, StorageService, Manag
|
|||
|
||||
private boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
@ -2283,23 +2284,7 @@ public class StorageManagerImpl implements StorageManager, StorageService, Manag
|
|||
}
|
||||
|
||||
// If the account is not an admin, check that the volume is owned by the account that was passed in
|
||||
if (!isAdmin) {
|
||||
if (account.getId() != volume.getAccountId()) {
|
||||
throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName());
|
||||
}
|
||||
} else if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) {
|
||||
throw new PermissionDeniedException("Unable to delete volume with id " + volumeId + ", permission denied.");
|
||||
}
|
||||
|
||||
// If the account is not an admin, check that the volume is owned by the account that was passed in
|
||||
if (!isAdmin) {
|
||||
if (account.getId() != volume.getAccountId()) {
|
||||
throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: "
|
||||
+ account.getAccountName());
|
||||
}
|
||||
} else if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) {
|
||||
throw new PermissionDeniedException("Unable to delete volume with id " + volumeId + ", permission denied.");
|
||||
}
|
||||
_accountMgr.checkAccess(account, volume);
|
||||
|
||||
// Check that the volume is stored on shared storage
|
||||
// NOTE: We used to ensure the volume is on shared storage before deleting. However, this seems like an unnecessary check since all we allow
|
||||
|
|
|
|||
|
|
@ -290,7 +290,7 @@ public class VMTemplateDaoImpl extends GenericDaoBase<VMTemplateVO, Long> implem
|
|||
if (templateFilter == TemplateFilter.featured) {
|
||||
whereClause += " WHERE t.public = 1 AND t.featured = 1";
|
||||
} else if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) && accountType != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
whereClause += " INNER JOIN account a on (t.account_id = a.id) INNER JOIN domain d on (a.domain_id = d.id) WHERE d.path LIKE '" + domain.getPath() + "%'";
|
||||
} else {
|
||||
whereClause += " WHERE t.account_id = " + accountId;
|
||||
|
|
|
|||
|
|
@ -324,7 +324,8 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
Account owner = _accountMgr.getAccount(v.getAccountId());
|
||||
SnapshotVO snapshot = null;
|
||||
boolean backedUp = false;
|
||||
|
||||
//does the caller have the authority to act on this volume
|
||||
checkAccountPermissions(v.getAccountId(), v.getDomainId(), "volume", volumeId);
|
||||
try {
|
||||
if (v != null && _volsDao.getHypervisorType(v.getId()).equals(HypervisorType.KVM)) {
|
||||
/* KVM needs to lock on the vm of volume, because it takes snapshot on behalf of vm, not volume */
|
||||
|
|
@ -589,21 +590,23 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
|
||||
Account account = UserContext.current().getCaller();
|
||||
if (account != null) {
|
||||
if (!isAdmin(account.getType())) {
|
||||
|
||||
/*if (!isAdmin(account.getType())) {
|
||||
if (account.getId() != targetAccountId) {
|
||||
throw new InvalidParameterValueException("Unable to find a " + targetDesc + " with id " + targetId + " for this account");
|
||||
}
|
||||
} else if (!_domainDao.isChildDomain(account.getDomainId(), targetDomainId)) {
|
||||
throw new PermissionDeniedException("Unable to perform operation for " + targetDesc + " with id " + targetId + ", permission denied.");
|
||||
}
|
||||
accountId = account.getId();
|
||||
accountId = account.getId();*/
|
||||
_accountMgr.checkAccess(account, _domainDao.findById(targetDomainId));
|
||||
}
|
||||
|
||||
return accountId;
|
||||
}
|
||||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -773,7 +776,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma
|
|||
if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) {
|
||||
throw new PermissionDeniedException("Unable to list templates for domain " + domainId + ", permission denied.");
|
||||
}
|
||||
} else if ((account != null) && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) {
|
||||
} else if ((account != null) && ((account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN))) {
|
||||
domainId = account.getDomainId();
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1285,6 +1285,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe
|
|||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -116,4 +116,6 @@ public interface AccountManager extends AccountService {
|
|||
@Override
|
||||
UserVO createUser(CreateUserCmd cmd);
|
||||
|
||||
Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId);
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -53,6 +53,8 @@ import com.cloud.configuration.ResourceLimitVO;
|
|||
import com.cloud.configuration.dao.ConfigurationDao;
|
||||
import com.cloud.configuration.dao.ResourceCountDao;
|
||||
import com.cloud.configuration.dao.ResourceLimitDao;
|
||||
import com.cloud.dc.DataCenterVO;
|
||||
import com.cloud.dc.dao.DataCenterDao;
|
||||
import com.cloud.domain.Domain;
|
||||
import com.cloud.domain.DomainVO;
|
||||
import com.cloud.domain.dao.DomainDao;
|
||||
|
|
@ -146,6 +148,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
@Inject private RemoteAccessVpnDao _remoteAccessVpnDao;
|
||||
@Inject private RemoteAccessVpnService _remoteAccessVpnMgr;
|
||||
@Inject private VpnUserDao _vpnUser;
|
||||
@Inject private DataCenterDao _dcDao;
|
||||
private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("AccountChecker"));
|
||||
|
||||
private final GlobalLock m_resourceCountLock = GlobalLock.getInternLock("resource.count");
|
||||
|
|
@ -470,11 +473,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
Long accountId = null;
|
||||
Account account = UserContext.current().getCaller();
|
||||
|
||||
if ((account == null) ||
|
||||
(account.getType() == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) {
|
||||
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if (accountName != null) {
|
||||
// Look up limits for the specified account
|
||||
|
||||
|
|
@ -486,7 +485,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
|
||||
if (userAccount == null) {
|
||||
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
|
||||
} else if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) {
|
||||
} else if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) {
|
||||
// If this is a non-root admin, make sure that the admin and the user account belong in the same domain or
|
||||
// that the user account's domain is a child domain of the parent
|
||||
if (account.getDomainId() != userAccount.getDomainId() && !_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) {
|
||||
|
|
@ -572,7 +571,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
domainId = DomainVO.ROOT_DOMAIN; // for root admin, default to root domain if domain is not specified
|
||||
}
|
||||
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
if ((domainId != null) && (accountName == null) && domainId.equals(account.getDomainId())) {
|
||||
// if the admin is trying to update their own domain, disallow...
|
||||
throw new PermissionDeniedException("Unable to update resource limit for domain " + domainId + ", permission denied");
|
||||
|
|
@ -700,6 +699,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
@Override
|
||||
public boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
@ -708,6 +708,10 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
public boolean isRootAdmin(short accountType) {
|
||||
return (accountType == Account.ACCOUNT_TYPE_ADMIN);
|
||||
}
|
||||
|
||||
public boolean isResourceDomainAdmin(short accountType){
|
||||
return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void checkAccess(Account caller, Domain domain) throws PermissionDeniedException {
|
||||
|
|
@ -770,7 +774,31 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
}
|
||||
}
|
||||
|
||||
private boolean doSetUserStatus(long userId, State state) {
|
||||
@Override
|
||||
public Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId){
|
||||
//We just care for resource domain admin for now. He should be permitted to see only his zone.
|
||||
if (isResourceDomainAdmin(caller.getType())){
|
||||
if (zoneId == null)
|
||||
return getZoneIdForAccount(caller);
|
||||
else if (getZoneIdForAccount(caller) != zoneId)
|
||||
throw new PermissionDeniedException("Caller " +caller+ "is not allowed to access the zone " +zoneId);
|
||||
else
|
||||
return zoneId;
|
||||
}
|
||||
|
||||
else
|
||||
return zoneId;
|
||||
}
|
||||
|
||||
private Long getZoneIdForAccount(Account account) {
|
||||
|
||||
/*
|
||||
*_dcDao.findZonesByDomainId(account.getDomainId());
|
||||
*/
|
||||
return 1L;
|
||||
}
|
||||
|
||||
private boolean doSetUserStatus(long userId, State state) {
|
||||
UserVO userForUpdate = _userDao.createForUpdate();
|
||||
userForUpdate.setState(state);
|
||||
return _userDao.update(Long.valueOf(userId), userForUpdate);
|
||||
|
|
@ -1019,6 +1047,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
String timezone = cmd.getTimezone();
|
||||
String accountName = cmd.getAccountName();
|
||||
short userType = cmd.getAccountType().shortValue();
|
||||
DomainVO domain = _domainDao.findById(domainId);
|
||||
checkAccess(UserContext.current().getCaller(), domain);
|
||||
|
||||
try {
|
||||
if (accountName == null) {
|
||||
|
|
@ -1032,8 +1062,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
if (account != null) {
|
||||
throw new CloudRuntimeException("The specified account: "+account.getAccountName()+" already exists");
|
||||
}
|
||||
|
||||
DomainVO domain = _domainDao.findById(domainId);
|
||||
|
||||
if(domain == null) {
|
||||
throw new CloudRuntimeException("The domain "+domainId+" does not exist; unable to create account");
|
||||
} else {
|
||||
|
|
@ -1070,6 +1099,12 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
accountId = newAccount.getId();
|
||||
}
|
||||
|
||||
if(userType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){
|
||||
List<DataCenterVO> dc = _dcDao.findZonesByDomainId(domainId);
|
||||
if (dc == null || dc.size() == 0 ){
|
||||
throw new CloudRuntimeException("The account cannot be created as domain "+domain.getName()+" is not associated with any private Zone");
|
||||
}
|
||||
}
|
||||
if (accountId == null) {
|
||||
throw new CloudRuntimeException("Failed to create account for user: " + username + "; unable to create user");
|
||||
}
|
||||
|
|
@ -1122,7 +1157,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
if (domainId == null) {
|
||||
domainId = Domain.ROOT_DOMAIN;
|
||||
}
|
||||
|
||||
DomainVO domain = _domainDao.findById(domainId);
|
||||
checkAccess(UserContext.current().getCaller(), domain);
|
||||
Account account = _accountDao.findActiveAccount(accountName, domainId);
|
||||
|
||||
if(account == null){
|
||||
|
|
@ -1130,8 +1166,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
}else{
|
||||
accountId = account.getAccountId();
|
||||
}
|
||||
|
||||
DomainVO domain = _domainDao.findById(domainId);
|
||||
|
||||
if(domain == null) {
|
||||
throw new CloudRuntimeException("The domain "+domainId+" does not exist; unable to create user");
|
||||
} else {
|
||||
|
|
@ -1196,7 +1231,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
if (account != null && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) {
|
||||
throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed");
|
||||
}
|
||||
|
||||
checkAccess(UserContext.current().getCaller(), account);
|
||||
|
||||
if (firstName == null) {
|
||||
firstName = user.getFirstname();
|
||||
}
|
||||
|
|
@ -1375,6 +1411,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
@Override @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_DELETE, eventDescription = "deleting account", async=true)
|
||||
//This method deletes the account
|
||||
public boolean deleteUserAccount(DeleteAccountCmd cmd) {
|
||||
|
||||
UserContext ctx = UserContext.current();
|
||||
long callerUserId = ctx.getCallerUserId();
|
||||
Account caller = ctx.getCaller();
|
||||
|
|
@ -1383,6 +1420,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
|
||||
// If the user is a System user, return an error. We do not allow this
|
||||
AccountVO account = _accountDao.findById(accountId);
|
||||
checkAccess(UserContext.current().getCaller(), account);
|
||||
if ((account != null) && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) {
|
||||
throw new PermissionDeniedException("Account id : " + accountId + " is a system account, delete is not allowed");
|
||||
}
|
||||
|
|
@ -1540,7 +1578,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag
|
|||
if ((user != null) && (user.getAccountId() == Account.ACCOUNT_ID_SYSTEM)) {
|
||||
throw new InvalidParameterValueException("Account id : " + user.getAccountId() + " is a system account, delete for user associated with this account is not allowed");
|
||||
}
|
||||
|
||||
checkAccess(UserContext.current().getCaller(), _accountDao.findById(user.getAccountId()));
|
||||
return _userDao.remove(id);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -187,7 +187,7 @@ public class AccountDaoImpl extends GenericDaoBase<AccountVO, Long> implements A
|
|||
public List<AccountVO> findAdminAccountsForDomain(Long domain) {
|
||||
SearchCriteria<AccountVO> sc = AccountTypeSearch.create();
|
||||
sc.addAnd("domainId", Op.EQ, domain);
|
||||
sc.addAnd("type", Op.IN, Account.ACCOUNT_TYPE_ADMIN, Account.ACCOUNT_TYPE_DOMAIN_ADMIN, Account.ACCOUNT_TYPE_READ_ONLY_ADMIN);
|
||||
sc.addAnd("type", Op.IN, Account.ACCOUNT_TYPE_ADMIN, Account.ACCOUNT_TYPE_DOMAIN_ADMIN, Account.ACCOUNT_TYPE_READ_ONLY_ADMIN, Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
|
||||
return null;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -468,7 +468,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
}
|
||||
|
||||
// If the account is not an admin, check that the volume and the virtual machine are owned by the account that was passed in
|
||||
if (account != null) {
|
||||
_accountMgr.checkAccess(account, volume);
|
||||
/*if (account != null) {
|
||||
if (!isAdmin(account.getType())) {
|
||||
if (account.getId() != volume.getAccountId()) {
|
||||
throw new PermissionDeniedException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName() + ". Permission denied.");
|
||||
|
|
@ -483,7 +484,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
throw new PermissionDeniedException("Unable to attach volume " + volumeId + " to virtual machine instance " + vmId + ". Permission denied.");
|
||||
}
|
||||
}
|
||||
}
|
||||
}*/
|
||||
|
||||
VolumeVO rootVolumeOfVm = null;
|
||||
List<VolumeVO> rootVolumesOfVm = _volsDao.findByInstanceAndType(vmId, Volume.Type.ROOT);
|
||||
|
|
@ -673,7 +674,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
}
|
||||
|
||||
// If the account is not an admin, check that the volume is owned by the account that was passed in
|
||||
if (!isAdmin) {
|
||||
_accountMgr.checkAccess(account, volume);
|
||||
/*if (!isAdmin) {
|
||||
if (account.getId() != volume.getAccountId()) {
|
||||
throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName());
|
||||
}
|
||||
|
|
@ -681,7 +683,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
if (!_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) {
|
||||
throw new PermissionDeniedException("Unable to detach volume with ID: " + volumeId + ", permission denied.");
|
||||
}
|
||||
}
|
||||
}*/
|
||||
|
||||
// Check that the volume is a data volume
|
||||
if (volume.getVolumeType() != Volume.Type.DATADISK) {
|
||||
|
|
@ -1592,6 +1594,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
|
@ -2660,7 +2663,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager
|
|||
accountId = caller.getId();
|
||||
}
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
if (isRecursive == null) {
|
||||
DomainVO domain = _domainDao.findById(caller.getDomainId());
|
||||
path = domain.getPath();
|
||||
|
|
|
|||
Loading…
Reference in New Issue