etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Refactoring account_type for Domain_Admin and Normal_User types

This commit is contained in:
Prachi Damle 2013-11-20 16:53:59 -08:00
parent 91e176cb0d
commit e0d2423f06
17 changed files with 104 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/com/cloud/user/AccountService.java
View File

@ -89,6 +89,10 @@ public interface AccountService {
boolean isRootAdmin(long accountId);
boolean isDomainAdmin(long accountId);
boolean isNormalUser(long accountId);
User getActiveUserByRegistrationToken(String registrationToken);
void markUserRegistered(long userId);

4
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDao.java
View File

@ -33,4 +33,8 @@ public interface AclGroupAccountMapDao extends GenericDao<AclGroupAccountMapVO,
AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId);
void removeAccountFromGroups(long accountId);
AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId);
AclGroupAccountMapVO findAccountInUserGroup(long accountId);
}

17
engine/schema/src/org/apache/cloudstack/acl/dao/AclGroupAccountMapDaoImpl.java
View File

@ -82,6 +82,22 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInDomainAdminGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 3);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findAccountInUserGroup(long accountId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
sc.setParameters("accountId", accountId);
sc.setParameters("groupId", 1);
return findOneBy(sc);
}
@Override
public AclGroupAccountMapVO findByGroupAndAccount(long groupId, long acctId) {
SearchCriteria<AclGroupAccountMapVO> sc = _findByAccountAndGroupId.create();
@ -100,5 +116,4 @@ public class AclGroupAccountMapDaoImpl extends GenericDaoBase<AclGroupAccountMap
s_logger.debug("Removed account id=" + accountId + " from " + rowsRemoved + " groups");
}
}
}

12
plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java
View File

@ -385,6 +385,18 @@ public class MockAccountManager extends ManagerBase implements AccountManager {
// TODO Auto-generated method stub
}
@Override
public boolean isDomainAdmin(long accountId) {
// TODO Auto-generated method stub
return false;
}
@Override
public boolean isNormalUser(long accountId) {
// TODO Auto-generated method stub
return false;
}
}

16
server/src/com/cloud/acl/DomainChecker.java
View File

@ -72,7 +72,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
long domainId = domain.getId();
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountService.isNormalUser(caller.getId())) {
if (caller.getDomainId() != domainId) {
throw new PermissionDeniedException(caller + " does not have permission to operate within domain id=" + domain.getId());
}
@ -132,7 +132,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
} else if (entity instanceof AffinityGroup) {
return false;
} else {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountService.isNormalUser(caller.getId())) {
Account account = _accountDao.findById(entity.getAccountId());
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
@ -172,7 +172,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user or domain admin
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for disk offering)
else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
else if (_accountService.isNormalUser(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
|| _accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == dof.getDomainId()) {
return true; //disk offering and account at exact node
} else {
@ -208,7 +210,9 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user or domain admin
//check if account's domain is a child of zone's domain (Note: This is made consistent with the list command for service offering)
else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
else if (_accountService.isNormalUser(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
|| _accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == so.getDomainId()) {
return true; //service offering and account at exact node
} else {
@ -244,7 +248,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is normal user
//check if account's domain is a child of zone's domain
else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
else if (_accountService.isNormalUser(account.getId()) || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
// if zone is dedicated to an account check that the accountId
// matches.
DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
@ -280,7 +284,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
}
//if account is domain admin
//check if the account's domain is either child of zone's domain, or if zone's domain is child of account's domain
else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
else if (_accountService.isDomainAdmin(account.getId())) {
if (account.getDomainId() == zone.getDomainId()) {
return true; //zone and account at exact node
} else {

4
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -1941,12 +1941,12 @@ public class ApiResponseHelper implements ResponseGenerator {
Account jobOwner = _accountMgr.getAccount(userJobOwner.getAccountId());
//check permissions
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountMgr.isNormalUser(caller.getId())) {
//regular user can see only jobs he owns
if (caller.getId() != jobOwner.getId()) {
throw new PermissionDeniedException("Account " + caller + " is not authorized to see job id=" + job.getId());
}
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
_accountMgr.checkAccess(caller, null, true, jobOwner);
}

20
server/src/com/cloud/api/query/QueryManagerImpl.java
View File

@ -1297,9 +1297,9 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
accountId = caller.getId();
}
if (domainId == null && accountId == null && (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || !listAll)) {
if (domainId == null && accountId == null && (_accountMgr.isNormalUser(caller.getId()) || !listAll)) {
accountId = caller.getId();
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || (isRecursive && !listAll)) {
} else if (_accountMgr.isDomainAdmin(caller.getId()) || (isRecursive && !listAll)) {
DomainVO domain = _domainDao.findById(caller.getDomainId());
path = domain.getPath();
}
@ -2290,7 +2290,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
List<Long> domainIds = null;
// For non-root users, only return all offerings for the user's domain,
// and everything above till root
if ((account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
if ((_accountMgr.isNormalUser(account.getId()) || _accountMgr.isDomainAdmin(account.getId()))
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// find all domain Id up to root domain for this account
domainIds = new ArrayList<Long>();
@ -2436,7 +2436,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
}
// boolean includePublicOfferings = false;
if ((caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN)
if ((_accountMgr.isNormalUser(caller.getId()) || _accountMgr.isDomainAdmin(caller.getId()))
|| caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// For non-root users.
if (isSystem) {
@ -2570,7 +2570,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// only list zones associated // with this domain, private zone
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountMgr.isNormalUser(account.getId())) {
// accountId == null (zones dedicated to a domain) or
// accountId = caller
SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
@ -2580,7 +2580,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
sc.addAnd("accountId", SearchCriteria.Op.SC, sdc);
}
} else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
} else if (_accountMgr.isNormalUser(account.getId())) {
// it was decided to return all zones for the user's domain, and
// everything above till root
// list all zones belonging to this domain, and all of its
@ -2627,7 +2627,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
dedicatedZoneIds.toArray(new Object[dedicatedZoneIds.size()]));
}
} else if (account.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN
} else if (_accountMgr.isDomainAdmin(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// it was decided to return all zones for the domain admin, and
// everything above till root, as well as zones till the domain
@ -2765,7 +2765,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = false;
if (templateFilter != null && templateFilter == TemplateFilter.all) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountMgr.isNormalUser(caller.getId())) {
throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ " can be specified by admin only");
}
@ -2869,7 +2869,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// add criteria for domain path in case of domain admin
if ((templateFilter == TemplateFilter.self || templateFilter == TemplateFilter.selfexecutable)
&& (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
&& (_accountMgr.isDomainAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
sc.addAnd("domainPath", SearchCriteria.Op.LIKE, domain.getPath() + "%");
}
@ -3062,7 +3062,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
boolean listAll = false;
if (isoFilter != null && isoFilter == TemplateFilter.all) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (_accountMgr.isNormalUser(caller.getId())) {
throw new InvalidParameterValueException("Filter " + TemplateFilter.all
+ " can be specified by admin only");
}

4
server/src/com/cloud/network/NetworkServiceImpl.java
View File

@ -1198,7 +1198,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
}
// Regular user can create Guest Isolated Source Nat enabled network only
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL
if (_accountMgr.isNormalUser(caller.getId())
&& (ntwkOff.getTrafficType() != TrafficType.Guest || ntwkOff.getGuestType() != Network.GuestType.Isolated
&& areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))) {
throw new InvalidParameterValueException("Regular user can create a network only from the network" +
@ -1407,7 +1407,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
// 1) default is system to false if not specified
// 2) reset parameter to false if it's specified by the regular user
if ((isSystem == null || caller.getType() == Account.ACCOUNT_TYPE_NORMAL) && id == null) {
if ((isSystem == null || _accountMgr.isNormalUser(caller.getId())) && id == null) {
isSystem = false;
}

6
server/src/com/cloud/projects/ProjectManagerImpl.java
View File

@ -184,7 +184,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
Account owner = caller;
//check if the user authorized to create the project
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL && !_allowUserToCreateProject) {
if (_accountMgr.isNormalUser(caller.getId()) && !_allowUserToCreateProject) {
throw new PermissionDeniedException("Regular user is not permitted to create a project");
}
@ -432,7 +432,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
//ROOT admin always can access the project
if (_accountMgr.isRootAdmin(caller.getId())) {
return true;
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
Account owner = _accountMgr.getAccount(accountId);
_accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
return true;
@ -446,7 +446,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
//ROOT admin always can access the project
if (_accountMgr.isRootAdmin(caller.getId())) {
return true;
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
} else if (_accountMgr.isDomainAdmin(caller.getId())) {
Account owner = _accountMgr.getAccount(accountId);
_accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId()));
return true;

2
server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
View File

@ -614,7 +614,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
}
if ((caller.getAccountId() == accountId.longValue()) &&
(caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN ||
(_accountMgr.isDomainAdmin(caller.getId()) ||
caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)) {
// If the admin is trying to update his own account, disallow.
throw new PermissionDeniedException("Unable to update resource limit for his own account " + accountId + ", permission denied");

2
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -896,7 +896,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
boolean result =true;
List<Long> permittedAccountIds = new ArrayList<Long>();
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
if (_accountService.isNormalUser(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
permittedAccountIds.add(caller.getId());
} else {
DomainVO domain = _domainDao.findById(caller.getDomainId());

3
server/src/com/cloud/servlet/ConsoleProxyServlet.java
View File

@ -480,7 +480,8 @@ public class ConsoleProxyServlet extends HttpServlet {
s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+ " does not match the account id in session " + accountObj.getId() + " and caller is a normal user");
}
} else if(accountObj.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
} else if (_accountMgr.isDomainAdmin(accountObj.getId())
|| accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) {
if(s_logger.isDebugEnabled()) {
s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+ " does not match the account id in session " + accountObj.getId() + " and the domain-admin caller does not manage the target domain");

2
server/src/com/cloud/tags/TaggedResourceManagerImpl.java
View File

@ -279,7 +279,7 @@ public class TaggedResourceManagerImpl extends ManagerBase implements TaggedReso
Long accountId = accountDomainPair.first();
if (accountId != null) {
_accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId));
} else if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_NORMAL) {
} else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) {
//check permissions;
_accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId));
} else {

2
server/src/com/cloud/usage/UsageServiceImpl.java
View File

@ -164,7 +164,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
//If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin
if (_accountService.isRootAdmin(caller.getId())) {
isAdmin = true;
} else if(caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN){
} else if (_accountService.isDomainAdmin(caller.getId())) {
isDomainAdmin = true;
}
s_logger.debug("Account details not available. Using userContext accountId: " + accountId);

23
server/src/com/cloud/user/AccountManagerImpl.java
View File

@ -375,6 +375,26 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
return false;
}
@Override
public boolean isDomainAdmin(long accountId) {
// refer to account_group_map and check if account is in Domain 'Admin' group
AclGroupAccountMapVO domainAdminGroupMember = _aclGroupAccountDao.findAccountInDomainAdminGroup(accountId);
if (domainAdminGroupMember != null) {
return true;
}
return false;
}
@Override
public boolean isNormalUser(long accountId) {
// refer to account_group_map and check if account is in 'User' group
AclGroupAccountMapVO user = _aclGroupAccountDao.findAccountInUserGroup(accountId);
if (user != null) {
return true;
}
return false;
}
public boolean isResourceDomainAdmin(short accountType) {
return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
}
@ -2352,7 +2372,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
if (projectId != null) {
if (!forProjectInvitation) {
if (projectId.longValue() == -1) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (isNormalUser(caller.getId())) {
permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
} else {
domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
@ -2516,4 +2536,5 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
public UserAccount getUserByApiKey(String apiKey) {
return _userAccountDao.getUserByApiKey(apiKey);
}
}

2
server/src/com/cloud/vm/UserVmManagerImpl.java
View File

@ -4203,7 +4203,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
// VV 1: verify the two users
Account caller = CallContext.current().getCallingAccount();
if (!_accountMgr.isRootAdmin(caller.getId())
&& caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
&& !_accountMgr.isDomainAdmin(caller.getId())) { // only
// root
// admin
// can

12
server/test/com/cloud/user/MockAccountManagerImpl.java
View File

@ -350,4 +350,16 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
return null;
}
@Override
public boolean isDomainAdmin(long accountId) {
// TODO Auto-generated method stub
return false;
}
@Override
public boolean isNormalUser(long accountId) {
// TODO Auto-generated method stub
return false;
}
}