diff --git a/api/src/com/cloud/api/BaseCmd.java b/api/src/com/cloud/api/BaseCmd.java index b6b4ff57504..2bce3c2fe31 100755 --- a/api/src/com/cloud/api/BaseCmd.java +++ b/api/src/com/cloud/api/BaseCmd.java @@ -543,6 +543,7 @@ public abstract class BaseCmd { public static boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } diff --git a/api/src/com/cloud/api/commands/ListIsosCmd.java b/api/src/com/cloud/api/commands/ListIsosCmd.java index a855b9337e8..7d76b6989a9 100755 --- a/api/src/com/cloud/api/commands/ListIsosCmd.java +++ b/api/src/com/cloud/api/commands/ListIsosCmd.java @@ -24,6 +24,7 @@ import java.util.Set; import org.apache.log4j.Logger; import com.cloud.api.ApiConstants; +import com.cloud.api.BaseCmd; import com.cloud.api.BaseListCmd; import com.cloud.api.Implementation; import com.cloud.api.Parameter; @@ -155,7 +156,7 @@ public class ListIsosCmd extends BaseListCmd { boolean isAdmin = false; Account account = UserContext.current().getCaller(); - if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + if ((account == null) || BaseCmd.isAdmin(account.getType())) { isAdmin = true; } diff --git a/api/src/com/cloud/api/commands/ListTemplatesCmd.java b/api/src/com/cloud/api/commands/ListTemplatesCmd.java old mode 100644 new mode 100755 index 1f884cfd8fc..ae88c63fce5 --- a/api/src/com/cloud/api/commands/ListTemplatesCmd.java +++ b/api/src/com/cloud/api/commands/ListTemplatesCmd.java @@ -25,6 +25,7 @@ import java.util.Set; import org.apache.log4j.Logger; import com.cloud.api.ApiConstants; +import com.cloud.api.BaseCmd; import com.cloud.api.BaseListCmd; import com.cloud.api.Implementation; import com.cloud.api.Parameter; @@ -124,7 +125,7 @@ public class ListTemplatesCmd extends BaseListCmd { boolean isAdmin = false; Account account = UserContext.current().getCaller(); - if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + if ((account == null) || BaseCmd.isAdmin(account.getType())) { isAdmin = true; } diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index ee98e80b3ce..da3c0cf7dc8 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -122,7 +122,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } //if account is normal user or domain admin //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering) - else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) + else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { if(account.getDomainId() == dof.getDomainId()) { @@ -170,7 +170,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } //if account is normal user or domain admin //check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering) - else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) + else if(account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { if(account.getDomainId() == so.getDomainId()) { diff --git a/server/src/com/cloud/agent/manager/AgentManagerImpl.java b/server/src/com/cloud/agent/manager/AgentManagerImpl.java index f01e6ce4c43..60831c70a37 100755 --- a/server/src/com/cloud/agent/manager/AgentManagerImpl.java +++ b/server/src/com/cloud/agent/manager/AgentManagerImpl.java @@ -795,6 +795,8 @@ public class AgentManagerImpl implements AgentManager, HandlerFactory, ResourceS String hostTag = cmd.getHostTag(); MapbareMetalParams = new HashMap(); + dcId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), dcId); + // this is for standalone option if (clusterName == null && clusterId == null) { clusterName = "Standalone-" + url; @@ -1303,7 +1305,7 @@ public class AgentManagerImpl implements AgentManager, HandlerFactory, ResourceS throw new InvalidParameterValueException("Host with id " + id.toString() + " doesn't exist"); } - + _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), host.getDataCenterId()); return deleteHost(id); } diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 761c28f065f..9d92e7b4dde 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -1743,7 +1743,7 @@ public class ApiResponseHelper implements ResponseGenerator { // set status Account account = UserContext.current().getCaller(); boolean isAdmin = false; - if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + if ((account == null) || BaseCmd.isAdmin(account.getType())) { isAdmin = true; } @@ -1815,7 +1815,7 @@ public class ApiResponseHelper implements ResponseGenerator { // set status Account account = UserContext.current().getCaller(); boolean isAdmin = false; - if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + if ((account == null) || BaseCmd.isAdmin(account.getType())) { isAdmin = true; } diff --git a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java old mode 100644 new mode 100755 index ae6fcca0a8d..a0d6def5104 --- a/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java +++ b/server/src/com/cloud/network/lb/LoadBalancingRulesManagerImpl.java @@ -654,8 +654,8 @@ public class LoadBalancingRulesManagerImpl implements LoadBalancingRulesManager, Pair accountDomainPair = _accountMgr.finalizeAccountDomainForList(caller, cmd.getAccountName(), cmd.getDomainId()); String accountName = accountDomainPair.first(); Long domainId = accountDomainPair.second(); - - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { Domain domain = _accountMgr.getDomain(caller.getDomainId()); path = domain.getPath(); } diff --git a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java old mode 100644 new mode 100755 index dd6736dca7a..8602f2a6730 --- a/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java +++ b/server/src/com/cloud/network/router/VirtualNetworkApplianceManagerImpl.java @@ -693,7 +693,7 @@ public class VirtualNetworkApplianceManagerImpl implements VirtualNetworkApplian } public static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); + return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)); } @Override diff --git a/server/src/com/cloud/network/rules/RulesManagerImpl.java b/server/src/com/cloud/network/rules/RulesManagerImpl.java old mode 100644 new mode 100755 index 7c25b2fac24..7c79ee1dd8a --- a/server/src/com/cloud/network/rules/RulesManagerImpl.java +++ b/server/src/com/cloud/network/rules/RulesManagerImpl.java @@ -623,7 +623,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { _accountMgr.checkAccess(caller, ipAddressVO); } - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { Domain domain = _accountMgr.getDomain(caller.getDomainId()); path = domain.getPath(); } @@ -835,7 +835,7 @@ public class RulesManagerImpl implements RulesManager, RulesService, Manager { _accountMgr.checkAccess(caller, ipAddressVO); } - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { Domain domain = _accountMgr.getDomain(caller.getDomainId()); path = domain.getPath(); } diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java old mode 100644 new mode 100755 index d18387787ce..25728d44434 --- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java +++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java @@ -746,6 +746,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG private static boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @@ -760,7 +761,7 @@ public class SecurityGroupManagerImpl implements SecurityGroupManager, SecurityG Account account = UserContext.current().getCaller(); if (account != null) { - if ((account.getType() == Account.ACCOUNT_TYPE_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + if (isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { if (!_domainDao.isChildDomain(account.getDomainId(), domainId)) { throw new PermissionDeniedException("Unable to create security group in domain " + domainId + ", permission denied."); diff --git a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java old mode 100644 new mode 100755 index 3c355250e54..7d91d7b08ba --- a/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java +++ b/server/src/com/cloud/network/vpn/RemoteAccessVpnManagerImpl.java @@ -416,7 +416,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag Long domainId = accountDomainPair.second(); - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { Domain domain = _accountMgr.getDomain(caller.getDomainId()); path = domain.getPath(); } @@ -477,7 +477,7 @@ public class RemoteAccessVpnManagerImpl implements RemoteAccessVpnService, Manag String accountName = accountDomainPair.first(); Long domainId = accountDomainPair.second(); - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { Domain domain = _accountMgr.getDomain(caller.getDomainId()); path = domain.getPath(); } diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index e89bf877fde..b0982aa956a 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -756,7 +756,7 @@ public class ManagementServerImpl implements ManagementServer { //add all public zones too dcs.addAll(_dcDao.listPublicZones()); removeDisabledZones = true; - }else if(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){ + }else if(account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){ //it was decided to return all zones for the domain admin, and everything above till root dcs = new ArrayList(); DomainVO domainRecord = _domainDao.findById(account.getDomainId()); @@ -1058,7 +1058,7 @@ public class ManagementServerImpl implements ManagementServer { } //For non-root users - if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)){ + if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){ return searchServiceOfferingsInternal(account, name, id, vmId, keyword, searchFilter); } @@ -1191,10 +1191,12 @@ public class ManagementServerImpl implements ManagementServer { Object id = cmd.getId(); Object name = cmd.getClusterName(); Object podId = cmd.getPodId(); - Object zoneId = cmd.getZoneId(); + Long zoneId = cmd.getZoneId(); Object hypervisorType = cmd.getHypervisorType(); Object clusterType = cmd.getClusterType(); Object allocationState = cmd.getAllocationState(); + + zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId); if (id != null) { sc.addAnd("id", SearchCriteria.Op.EQ, id); @@ -1229,17 +1231,18 @@ public class ManagementServerImpl implements ManagementServer { @Override public List searchForServers(ListHostsCmd cmd) { + + Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId()); Object name = cmd.getHostName(); Object type = cmd.getType(); - Object state = cmd.getState(); - Object zone = cmd.getZoneId(); + Object state = cmd.getState(); Object pod = cmd.getPodId(); Object cluster = cmd.getClusterId(); Object id = cmd.getId(); Object keyword = cmd.getKeyword(); Object allocationState = cmd.getAllocationState(); - return searchForServers(cmd.getStartIndex(), cmd.getPageSizeVal(), name, type, state, zone, pod, cluster, id, keyword, allocationState); + return searchForServers(cmd.getStartIndex(), cmd.getPageSizeVal(), name, type, state, zoneId, pod, cluster, id, keyword, allocationState); } @Override @@ -1364,6 +1367,8 @@ public class ManagementServerImpl implements ManagementServer { Long zoneId = cmd.getZoneId(); Object keyword = cmd.getKeyword(); Object allocationState = cmd.getAllocationState(); + + zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId); if (keyword != null) { SearchCriteria ssc = _hostPodDao.createSearchCriteria(); @@ -2005,20 +2010,7 @@ public class ManagementServerImpl implements ManagementServer { } //do a permission check - if (account != null) { - Long templateOwner = template.getAccountId(); - if (!BaseCmd.isAdmin(account.getType())) { - if ((templateOwner == null) || (account.getId() != templateOwner.longValue())) { - throw new PermissionDeniedException("Unable to modify template/iso with id " + id + ", permission denied."); - } - } else if (account.getType() != Account.ACCOUNT_TYPE_ADMIN) { - Long templateOwnerDomainId = findDomainIdByAccountId(templateOwner); - if (!isChildDomain(account.getDomainId(), templateOwnerDomainId)) { - throw new PermissionDeniedException("Unable to modify template/iso with id " + id + ", permission denied"); - } - } - } - + _accountMgr.checkAccess(account, template); boolean updateNeeded = !(name == null && displayText == null && format == null && guestOSId == null && passwordEnabled == null && bootable == null); if (!updateNeeded) { @@ -2876,7 +2868,7 @@ public class ManagementServerImpl implements ManagementServer { Account account = UserContext.current().getCaller(); String path = null; - if (account != null && account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) { DomainVO domain = _domainDao.findById(account.getDomainId()); if (domain != null) { path = domain.getPath(); @@ -3218,10 +3210,13 @@ public class ManagementServerImpl implements ManagementServer { Object type = cmd.getType(); Object keyword = cmd.getKeyword(); - + Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), null); if (id != null) { sc.addAnd("id", SearchCriteria.Op.EQ, id); } + if (zoneId != null){ + sc.addAnd("data_center_id", SearchCriteria.Op.EQ, zoneId); + } if (keyword != null) { SearchCriteria ssc = _alertDao.createSearchCriteria(); @@ -3248,6 +3243,8 @@ public class ManagementServerImpl implements ManagementServer { Long zoneId = cmd.getZoneId(); Long podId = cmd.getPodId(); Long hostId = cmd.getHostId(); + + zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), zoneId); if (type != null) { sc.addAnd("capacityType", SearchCriteria.Op.EQ, type); @@ -3315,6 +3312,7 @@ public class ManagementServerImpl implements ManagementServer { public static boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @@ -3366,17 +3364,7 @@ public class ManagementServerImpl implements ManagementServer { } } - if (account != null) - { - if (!isAdmin(account.getType()) && (template.getAccountId() != account.getId())) { - throw new PermissionDeniedException("unable to update permissions for " + mediaType + " with id " + id); - } else if (account.getType() != Account.ACCOUNT_TYPE_ADMIN) { - Long templateOwnerDomainId = findDomainIdByAccountId(template.getAccountId()); - if (!isChildDomain(account.getDomainId(), templateOwnerDomainId)) { - throw new PermissionDeniedException("Unable to update permissions for " + mediaType + " with id " + id); - } - } - } + _accountMgr.checkAccess(account, template); // If command is executed via 8096 port, set userId to the id of System account (1) if (userId == null) { @@ -3510,7 +3498,7 @@ public class ManagementServerImpl implements ManagementServer { if (accountId != null && !template.isPublicTemplate()) { if (account.getType() == Account.ACCOUNT_TYPE_NORMAL && template.getAccountId() != accountId) { throw new PermissionDeniedException("unable to list permissions for " + cmd.getMediaType() + " with id " + id); - } else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + } else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { DomainVO accountDomain = _domainDao.findById(account.getDomainId()); Account templateAccount = _accountDao.findById(template.getAccountId()); DomainVO templateDomain = _domainDao.findById(templateAccount.getDomainId()); @@ -3633,7 +3621,7 @@ public class ManagementServerImpl implements ManagementServer { } //For non-root users - if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)){ + if((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){ return searchDiskOfferingsInternal(account, name, id, keyword, searchFilter); } @@ -3835,6 +3823,8 @@ public class ManagementServerImpl implements ManagementServer { @Override public List searchForStoragePools(ListStoragePoolsCmd cmd) { + + Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId()); Criteria c = new Criteria("id", Boolean.TRUE, cmd.getStartIndex(), cmd.getPageSizeVal()); c.addCriteria(Criteria.ID, cmd.getId()); c.addCriteria(Criteria.NAME, cmd.getStoragePoolName()); @@ -3843,7 +3833,7 @@ public class ManagementServerImpl implements ManagementServer { c.addCriteria(Criteria.KEYWORD, cmd.getKeyword()); c.addCriteria(Criteria.PATH, cmd.getPath()); c.addCriteria(Criteria.PODID, cmd.getPodId()); - c.addCriteria(Criteria.DATACENTERID, cmd.getZoneId()); + c.addCriteria(Criteria.DATACENTERID, zoneId); return searchForStoragePools(c); } @@ -4050,10 +4040,11 @@ public class ManagementServerImpl implements ManagementServer { @Override @SuppressWarnings({"unchecked", "rawtypes"}) public List searchForSystemVm(ListSystemVMsCmd cmd) { Criteria c = new Criteria("id", Boolean.TRUE, cmd.getStartIndex(), cmd.getPageSizeVal()); + Long zoneId = _accountMgr.checkAccessAndSpecifyAuthority(UserContext.current().getCaller(), cmd.getZoneId()); c.addCriteria(Criteria.KEYWORD, cmd.getKeyword()); c.addCriteria(Criteria.ID, cmd.getId()); - c.addCriteria(Criteria.DATACENTERID, cmd.getZoneId()); + c.addCriteria(Criteria.DATACENTERID, zoneId); c.addCriteria(Criteria.PODID, cmd.getPodId()); c.addCriteria(Criteria.HOSTID, cmd.getHostId()); c.addCriteria(Criteria.NAME, cmd.getSystemVmName()); @@ -4853,20 +4844,8 @@ public class ManagementServerImpl implements ManagementServer { Account caller = UserContext.current().getCaller(); String accountName = cmd.getAccountName(); Long domainId = cmd.getDomainId(); - Account owner = null; - - if (accountName != null) { - if (domainId != null) { - owner = _accountMgr.getActiveAccount(accountName, domainId); - } else { - throw new InvalidParameterValueException("DomainId has to be specified along with account"); - } - - //check account permissions - _accountMgr.checkAccess(caller, owner); - } else { - owner = caller; - } + Account owner = null; + _accountMgr.finalizeOwner(caller, accountName, domainId); SSHKeyPairVO s = _sshKeyPairDao.findByName(owner.getAccountId(), owner.getDomainId(), cmd.getName()); if (s == null) { @@ -4888,7 +4867,7 @@ public class ManagementServerImpl implements ManagementServer { if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) { accountId = caller.getId(); domainId = caller.getDomainId(); - } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { DomainVO domain = _domainDao.findById(caller.getDomainId()); path = domain.getPath(); } diff --git a/server/src/com/cloud/storage/StorageManagerImpl.java b/server/src/com/cloud/storage/StorageManagerImpl.java index e55990429b3..826e262015d 100755 --- a/server/src/com/cloud/storage/StorageManagerImpl.java +++ b/server/src/com/cloud/storage/StorageManagerImpl.java @@ -2258,6 +2258,7 @@ public class StorageManagerImpl implements StorageManager, StorageService, Manag private boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @@ -2283,23 +2284,7 @@ public class StorageManagerImpl implements StorageManager, StorageService, Manag } // If the account is not an admin, check that the volume is owned by the account that was passed in - if (!isAdmin) { - if (account.getId() != volume.getAccountId()) { - throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName()); - } - } else if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) { - throw new PermissionDeniedException("Unable to delete volume with id " + volumeId + ", permission denied."); - } - - // If the account is not an admin, check that the volume is owned by the account that was passed in - if (!isAdmin) { - if (account.getId() != volume.getAccountId()) { - throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " - + account.getAccountName()); - } - } else if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) { - throw new PermissionDeniedException("Unable to delete volume with id " + volumeId + ", permission denied."); - } + _accountMgr.checkAccess(account, volume); // Check that the volume is stored on shared storage // NOTE: We used to ensure the volume is on shared storage before deleting. However, this seems like an unnecessary check since all we allow diff --git a/server/src/com/cloud/storage/dao/VMTemplateDaoImpl.java b/server/src/com/cloud/storage/dao/VMTemplateDaoImpl.java index 64d8813b7db..cbe203bc7a0 100755 --- a/server/src/com/cloud/storage/dao/VMTemplateDaoImpl.java +++ b/server/src/com/cloud/storage/dao/VMTemplateDaoImpl.java @@ -290,7 +290,7 @@ public class VMTemplateDaoImpl extends GenericDaoBase implem if (templateFilter == TemplateFilter.featured) { whereClause += " WHERE t.public = 1 AND t.featured = 1"; } else if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable) && accountType != Account.ACCOUNT_TYPE_ADMIN) { - if (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { whereClause += " INNER JOIN account a on (t.account_id = a.id) INNER JOIN domain d on (a.domain_id = d.id) WHERE d.path LIKE '" + domain.getPath() + "%'"; } else { whereClause += " WHERE t.account_id = " + accountId; diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java index 430fe3ed012..91f092def1b 100755 --- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java +++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java @@ -324,7 +324,8 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma Account owner = _accountMgr.getAccount(v.getAccountId()); SnapshotVO snapshot = null; boolean backedUp = false; - + //does the caller have the authority to act on this volume + checkAccountPermissions(v.getAccountId(), v.getDomainId(), "volume", volumeId); try { if (v != null && _volsDao.getHypervisorType(v.getId()).equals(HypervisorType.KVM)) { /* KVM needs to lock on the vm of volume, because it takes snapshot on behalf of vm, not volume */ @@ -589,21 +590,23 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma Account account = UserContext.current().getCaller(); if (account != null) { - if (!isAdmin(account.getType())) { + + /*if (!isAdmin(account.getType())) { if (account.getId() != targetAccountId) { throw new InvalidParameterValueException("Unable to find a " + targetDesc + " with id " + targetId + " for this account"); } } else if (!_domainDao.isChildDomain(account.getDomainId(), targetDomainId)) { throw new PermissionDeniedException("Unable to perform operation for " + targetDesc + " with id " + targetId + ", permission denied."); } - accountId = account.getId(); + accountId = account.getId();*/ + _accountMgr.checkAccess(account, _domainDao.findById(targetDomainId)); } return accountId; } private static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); + return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @Override @@ -773,7 +776,7 @@ public class SnapshotManagerImpl implements SnapshotManager, SnapshotService, Ma if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) { throw new PermissionDeniedException("Unable to list templates for domain " + domainId + ", permission denied."); } - } else if ((account != null) && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)) { + } else if ((account != null) && ((account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN))) { domainId = account.getDomainId(); } diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index 5408358aadf..65199b3c378 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -1285,6 +1285,7 @@ public class TemplateManagerImpl implements TemplateManager, Manager, TemplateSe private static boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } diff --git a/server/src/com/cloud/user/AccountManager.java b/server/src/com/cloud/user/AccountManager.java index 6295d48ca28..52a07a18a9c 100755 --- a/server/src/com/cloud/user/AccountManager.java +++ b/server/src/com/cloud/user/AccountManager.java @@ -116,4 +116,6 @@ public interface AccountManager extends AccountService { @Override UserVO createUser(CreateUserCmd cmd); + Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId); + } diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index d20eaadb404..36f119bddec 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -53,6 +53,8 @@ import com.cloud.configuration.ResourceLimitVO; import com.cloud.configuration.dao.ConfigurationDao; import com.cloud.configuration.dao.ResourceCountDao; import com.cloud.configuration.dao.ResourceLimitDao; +import com.cloud.dc.DataCenterVO; +import com.cloud.dc.dao.DataCenterDao; import com.cloud.domain.Domain; import com.cloud.domain.DomainVO; import com.cloud.domain.dao.DomainDao; @@ -146,6 +148,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag @Inject private RemoteAccessVpnDao _remoteAccessVpnDao; @Inject private RemoteAccessVpnService _remoteAccessVpnMgr; @Inject private VpnUserDao _vpnUser; + @Inject private DataCenterDao _dcDao; private final ScheduledExecutorService _executor = Executors.newScheduledThreadPool(1, new NamedThreadFactory("AccountChecker")); private final GlobalLock m_resourceCountLock = GlobalLock.getInternLock("resource.count"); @@ -470,11 +473,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag Long accountId = null; Account account = UserContext.current().getCaller(); - if ((account == null) || - (account.getType() == Account.ACCOUNT_TYPE_ADMIN) || - (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || - (account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) { - + if ((account == null) || isAdmin(account.getType())) { if (accountName != null) { // Look up limits for the specified account @@ -486,7 +485,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if (userAccount == null) { throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId); - } else if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) { + } else if (account != null && (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN || account.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)) { // If this is a non-root admin, make sure that the admin and the user account belong in the same domain or // that the user account's domain is a child domain of the parent if (account.getDomainId() != userAccount.getDomainId() && !_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) { @@ -572,7 +571,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag domainId = DomainVO.ROOT_DOMAIN; // for root admin, default to root domain if domain is not specified } - if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { if ((domainId != null) && (accountName == null) && domainId.equals(account.getDomainId())) { // if the admin is trying to update their own domain, disallow... throw new PermissionDeniedException("Unable to update resource limit for domain " + domainId + ", permission denied"); @@ -700,6 +699,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag @Override public boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @@ -708,6 +708,10 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag public boolean isRootAdmin(short accountType) { return (accountType == Account.ACCOUNT_TYPE_ADMIN); } + + public boolean isResourceDomainAdmin(short accountType){ + return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN); + } @Override public void checkAccess(Account caller, Domain domain) throws PermissionDeniedException { @@ -770,7 +774,31 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag } } - private boolean doSetUserStatus(long userId, State state) { + @Override + public Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId){ + //We just care for resource domain admin for now. He should be permitted to see only his zone. + if (isResourceDomainAdmin(caller.getType())){ + if (zoneId == null) + return getZoneIdForAccount(caller); + else if (getZoneIdForAccount(caller) != zoneId) + throw new PermissionDeniedException("Caller " +caller+ "is not allowed to access the zone " +zoneId); + else + return zoneId; + } + + else + return zoneId; + } + + private Long getZoneIdForAccount(Account account) { + + /* + *_dcDao.findZonesByDomainId(account.getDomainId()); + */ + return 1L; + } + + private boolean doSetUserStatus(long userId, State state) { UserVO userForUpdate = _userDao.createForUpdate(); userForUpdate.setState(state); return _userDao.update(Long.valueOf(userId), userForUpdate); @@ -1019,6 +1047,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag String timezone = cmd.getTimezone(); String accountName = cmd.getAccountName(); short userType = cmd.getAccountType().shortValue(); + DomainVO domain = _domainDao.findById(domainId); + checkAccess(UserContext.current().getCaller(), domain); try { if (accountName == null) { @@ -1032,8 +1062,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if (account != null) { throw new CloudRuntimeException("The specified account: "+account.getAccountName()+" already exists"); } - - DomainVO domain = _domainDao.findById(domainId); + if(domain == null) { throw new CloudRuntimeException("The domain "+domainId+" does not exist; unable to create account"); } else { @@ -1070,6 +1099,12 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag accountId = newAccount.getId(); } + if(userType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN){ + List dc = _dcDao.findZonesByDomainId(domainId); + if (dc == null || dc.size() == 0 ){ + throw new CloudRuntimeException("The account cannot be created as domain "+domain.getName()+" is not associated with any private Zone"); + } + } if (accountId == null) { throw new CloudRuntimeException("Failed to create account for user: " + username + "; unable to create user"); } @@ -1122,7 +1157,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if (domainId == null) { domainId = Domain.ROOT_DOMAIN; } - + DomainVO domain = _domainDao.findById(domainId); + checkAccess(UserContext.current().getCaller(), domain); Account account = _accountDao.findActiveAccount(accountName, domainId); if(account == null){ @@ -1130,8 +1166,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag }else{ accountId = account.getAccountId(); } - - DomainVO domain = _domainDao.findById(domainId); + if(domain == null) { throw new CloudRuntimeException("The domain "+domainId+" does not exist; unable to create user"); } else { @@ -1196,7 +1231,8 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if (account != null && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) { throw new PermissionDeniedException("user id : " + id + " is system account, update is not allowed"); } - + checkAccess(UserContext.current().getCaller(), account); + if (firstName == null) { firstName = user.getFirstname(); } @@ -1375,6 +1411,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag @Override @ActionEvent(eventType = EventTypes.EVENT_ACCOUNT_DELETE, eventDescription = "deleting account", async=true) //This method deletes the account public boolean deleteUserAccount(DeleteAccountCmd cmd) { + UserContext ctx = UserContext.current(); long callerUserId = ctx.getCallerUserId(); Account caller = ctx.getCaller(); @@ -1383,6 +1420,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag // If the user is a System user, return an error. We do not allow this AccountVO account = _accountDao.findById(accountId); + checkAccess(UserContext.current().getCaller(), account); if ((account != null) && (account.getId() == Account.ACCOUNT_ID_SYSTEM)) { throw new PermissionDeniedException("Account id : " + accountId + " is a system account, delete is not allowed"); } @@ -1540,7 +1578,7 @@ public class AccountManagerImpl implements AccountManager, AccountService, Manag if ((user != null) && (user.getAccountId() == Account.ACCOUNT_ID_SYSTEM)) { throw new InvalidParameterValueException("Account id : " + user.getAccountId() + " is a system account, delete for user associated with this account is not allowed"); } - + checkAccess(UserContext.current().getCaller(), _accountDao.findById(user.getAccountId())); return _userDao.remove(id); } diff --git a/server/src/com/cloud/user/dao/AccountDaoImpl.java b/server/src/com/cloud/user/dao/AccountDaoImpl.java old mode 100644 new mode 100755 index 987a5e58b4a..966c8b0d7ec --- a/server/src/com/cloud/user/dao/AccountDaoImpl.java +++ b/server/src/com/cloud/user/dao/AccountDaoImpl.java @@ -187,7 +187,7 @@ public class AccountDaoImpl extends GenericDaoBase implements A public List findAdminAccountsForDomain(Long domain) { SearchCriteria sc = AccountTypeSearch.create(); sc.addAnd("domainId", Op.EQ, domain); - sc.addAnd("type", Op.IN, Account.ACCOUNT_TYPE_ADMIN, Account.ACCOUNT_TYPE_DOMAIN_ADMIN, Account.ACCOUNT_TYPE_READ_ONLY_ADMIN); + sc.addAnd("type", Op.IN, Account.ACCOUNT_TYPE_ADMIN, Account.ACCOUNT_TYPE_DOMAIN_ADMIN, Account.ACCOUNT_TYPE_READ_ONLY_ADMIN, Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN); return null; } diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index f4764cb8947..0b6732cf8ae 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -468,7 +468,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } // If the account is not an admin, check that the volume and the virtual machine are owned by the account that was passed in - if (account != null) { + _accountMgr.checkAccess(account, volume); + /*if (account != null) { if (!isAdmin(account.getType())) { if (account.getId() != volume.getAccountId()) { throw new PermissionDeniedException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName() + ". Permission denied."); @@ -483,7 +484,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager throw new PermissionDeniedException("Unable to attach volume " + volumeId + " to virtual machine instance " + vmId + ". Permission denied."); } } - } + }*/ VolumeVO rootVolumeOfVm = null; List rootVolumesOfVm = _volsDao.findByInstanceAndType(vmId, Volume.Type.ROOT); @@ -673,7 +674,8 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager } // If the account is not an admin, check that the volume is owned by the account that was passed in - if (!isAdmin) { + _accountMgr.checkAccess(account, volume); + /*if (!isAdmin) { if (account.getId() != volume.getAccountId()) { throw new InvalidParameterValueException("Unable to find volume with ID: " + volumeId + " for account: " + account.getAccountName()); } @@ -681,7 +683,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager if (!_domainDao.isChildDomain(account.getDomainId(), volume.getDomainId())) { throw new PermissionDeniedException("Unable to detach volume with ID: " + volumeId + ", permission denied."); } - } + }*/ // Check that the volume is a data volume if (volume.getVolumeType() != Volume.Type.DATADISK) { @@ -1592,6 +1594,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager private static boolean isAdmin(short accountType) { return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || + (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); } @@ -2660,7 +2663,7 @@ public class UserVmManagerImpl implements UserVmManager, UserVmService, Manager accountId = caller.getId(); } - if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { + if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { if (isRecursive == null) { DomainVO domain = _domainDao.findById(caller.getDomainId()); path = domain.getPath();