mirror of https://github.com/apache/cloudstack.git
Compare commits
7 Commits
5dde90d59e
...
49be9ed958
| Author | SHA1 | Date |
|---|---|---|
Wei Zhou
|
49be9ed958 | |
Daman Arora
|
bce3e54a7e | |
Nicolas Vazquez
|
6a9835904c | |
|
Nicolas Vazquez
|
6846619a6f | |
Vishesh
|
d1eb2822d9 | |
|
Wei Zhou
|
fc10728f10 | |
|
Wei Zhou
|
e5848acdd0 |
|
|
@ -19,6 +19,7 @@ package org.apache.cloudstack.acl;
|
|||
import com.cloud.exception.PermissionDeniedException;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.utils.Pair;
|
||||
import com.cloud.utils.component.Adapter;
|
||||
|
||||
import java.util.List;
|
||||
|
|
@ -43,4 +44,7 @@ public interface APIChecker extends Adapter {
|
|||
*/
|
||||
List<String> getApisAllowedToUser(Role role, User user, List<String> apiNames) throws PermissionDeniedException;
|
||||
boolean isEnabled();
|
||||
|
||||
default Pair<Role, List<RolePermission>> getRolePermissions(long roleId) { return null; }
|
||||
default boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) { return false; }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,6 +78,7 @@ public class UpdateNetworkOfferingCmd extends BaseCmd {
|
|||
|
||||
@Parameter(name = ApiConstants.DOMAIN_ID,
|
||||
type = CommandType.STRING,
|
||||
length = 4096,
|
||||
description = "The ID of the containing domain(s) as comma separated string, public for public offerings")
|
||||
private String domainIds;
|
||||
|
||||
|
|
|
|||
|
|
@ -75,6 +75,7 @@ public class UpdateDiskOfferingCmd extends BaseCmd {
|
|||
@Parameter(name = ApiConstants.ZONE_ID,
|
||||
type = CommandType.STRING,
|
||||
description = "The ID of the containing zone(s) as comma separated string, all for all zones offerings",
|
||||
length = 4096,
|
||||
since = "4.13")
|
||||
private String zoneIds;
|
||||
|
||||
|
|
|
|||
|
|
@ -69,6 +69,7 @@ public class UpdateServiceOfferingCmd extends BaseCmd {
|
|||
@Parameter(name = ApiConstants.ZONE_ID,
|
||||
type = CommandType.STRING,
|
||||
description = "The ID of the containing zone(s) as comma separated string, all for all zones offerings",
|
||||
length = 4096,
|
||||
since = "4.13")
|
||||
private String zoneIds;
|
||||
|
||||
|
|
|
|||
|
|
@ -65,6 +65,7 @@ public class UpdateVPCOfferingCmd extends BaseAsyncCmd {
|
|||
@Parameter(name = ApiConstants.ZONE_ID,
|
||||
type = CommandType.STRING,
|
||||
description = "The ID of the containing zone(s) as comma separated string, all for all zones offerings",
|
||||
length = 4096,
|
||||
since = "4.13")
|
||||
private String zoneIds;
|
||||
|
||||
|
|
|
|||
|
|
@ -31,4 +31,6 @@ public interface VMScheduledJobDao extends GenericDao<VMScheduledJobVO, Long> {
|
|||
int expungeJobsForSchedules(List<Long> scheduleId, Date dateAfter);
|
||||
|
||||
int expungeJobsBefore(Date currentTimestamp);
|
||||
|
||||
VMScheduledJobVO findByScheduleAndTimestamp(long scheduleId, Date scheduledTimestamp);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -39,6 +39,8 @@ public class VMScheduledJobDaoImpl extends GenericDaoBase<VMScheduledJobVO, Long
|
|||
|
||||
private final SearchBuilder<VMScheduledJobVO> expungeJobForScheduleSearch;
|
||||
|
||||
private final SearchBuilder<VMScheduledJobVO> scheduleAndTimestampSearch;
|
||||
|
||||
static final String SCHEDULED_TIMESTAMP = "scheduled_timestamp";
|
||||
|
||||
static final String VM_SCHEDULE_ID = "vm_schedule_id";
|
||||
|
|
@ -58,6 +60,11 @@ public class VMScheduledJobDaoImpl extends GenericDaoBase<VMScheduledJobVO, Long
|
|||
expungeJobForScheduleSearch.and(VM_SCHEDULE_ID, expungeJobForScheduleSearch.entity().getVmScheduleId(), SearchCriteria.Op.IN);
|
||||
expungeJobForScheduleSearch.and(SCHEDULED_TIMESTAMP, expungeJobForScheduleSearch.entity().getScheduledTime(), SearchCriteria.Op.GTEQ);
|
||||
expungeJobForScheduleSearch.done();
|
||||
|
||||
scheduleAndTimestampSearch = createSearchBuilder();
|
||||
scheduleAndTimestampSearch.and(VM_SCHEDULE_ID, scheduleAndTimestampSearch.entity().getVmScheduleId(), SearchCriteria.Op.EQ);
|
||||
scheduleAndTimestampSearch.and(SCHEDULED_TIMESTAMP, scheduleAndTimestampSearch.entity().getScheduledTime(), SearchCriteria.Op.EQ);
|
||||
scheduleAndTimestampSearch.done();
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -92,4 +99,12 @@ public class VMScheduledJobDaoImpl extends GenericDaoBase<VMScheduledJobVO, Long
|
|||
sc.setParameters(SCHEDULED_TIMESTAMP, date);
|
||||
return expunge(sc);
|
||||
}
|
||||
|
||||
@Override
|
||||
public VMScheduledJobVO findByScheduleAndTimestamp(long scheduleId, Date scheduledTimestamp) {
|
||||
SearchCriteria<VMScheduledJobVO> sc = scheduleAndTimestampSearch.create();
|
||||
sc.setParameters(VM_SCHEDULE_ID, scheduleId);
|
||||
sc.setParameters(SCHEDULED_TIMESTAMP, scheduledTimestamp);
|
||||
return findOneBy(sc);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -107,7 +107,8 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
return accountService.getAccount(accountId);
|
||||
}
|
||||
|
||||
protected Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
@Override
|
||||
public Pair<Role, List<RolePermission>> getRolePermissions(long roleId) {
|
||||
final Role accountRole = roleService.findRole(roleId);
|
||||
if (accountRole == null || accountRole.getId() < 1L) {
|
||||
return new Pair<>(null, null);
|
||||
|
|
@ -149,7 +150,7 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
throw new PermissionDeniedException(String.format("Account role for user id [%s] cannot be found.", user.getUuid()));
|
||||
}
|
||||
if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
|
||||
logger.info("Account for user id {} is Root Admin or Domain Admin, all APIs are allowed.", user.getUuid());
|
||||
logger.info("Account for user id {} is Root Admin, all APIs are allowed.", user.getUuid());
|
||||
return true;
|
||||
}
|
||||
List<RolePermission> allPermissions = roleAndPermissions.second();
|
||||
|
|
@ -180,6 +181,25 @@ public class DynamicRoleBasedAPIAccessChecker extends AdapterBase implements API
|
|||
throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account));
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean checkAccess(Account account, String commandName, Role accountRole, List<RolePermission> allPermissions) {
|
||||
if (accountRole == null) {
|
||||
throw new PermissionDeniedException(String.format("The account [%s] has role null or unknown.", account));
|
||||
}
|
||||
|
||||
if (accountRole.getRoleType() == RoleType.Admin && accountRole.getId() == RoleType.Admin.getId()) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format("Account [%s] is Root Admin, all APIs are allowed.", account));
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
if (checkApiPermissionByRole(accountRole, commandName, allPermissions)) {
|
||||
return true;
|
||||
}
|
||||
throw new UnavailableCommandException(String.format("The API [%s] does not exist or is not available for the account %s.", commandName, account));
|
||||
}
|
||||
|
||||
/**
|
||||
* Only one strategy should be used between StaticRoleBasedAPIAccessChecker and DynamicRoleBasedAPIAccessChecker
|
||||
* Default behavior is to use the Dynamic version. The StaticRoleBasedAPIAccessChecker is the legacy version.
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ import org.apache.cloudstack.acl.ControlledEntity;
|
|||
import org.apache.cloudstack.acl.InfrastructureEntity;
|
||||
import org.apache.cloudstack.acl.QuerySelector;
|
||||
import org.apache.cloudstack.acl.Role;
|
||||
import org.apache.cloudstack.acl.RolePermission;
|
||||
import org.apache.cloudstack.acl.RoleService;
|
||||
import org.apache.cloudstack.acl.RoleType;
|
||||
import org.apache.cloudstack.acl.SecurityChecker;
|
||||
|
|
@ -1438,29 +1439,35 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
|||
requested.getUuid(),
|
||||
requested.getRoleId()));
|
||||
}
|
||||
if (caller.getRoleId().equals(requested.getRoleId())) {
|
||||
return;
|
||||
}
|
||||
List<APIChecker> apiCheckers = getEnabledApiCheckers();
|
||||
for (APIChecker apiChecker : apiCheckers) {
|
||||
checkApiAccess(apiChecker, caller, requested);
|
||||
}
|
||||
}
|
||||
|
||||
private void checkApiAccess(APIChecker apiChecker, Account caller, Account requested) throws PermissionDeniedException {
|
||||
Pair<Role, List<RolePermission>> roleAndPermissionsForCaller = apiChecker.getRolePermissions(caller.getRoleId());
|
||||
Pair<Role, List<RolePermission>> roleAndPermissionsForRequested = apiChecker.getRolePermissions(requested.getRoleId());
|
||||
for (String command : apiNameList) {
|
||||
try {
|
||||
checkApiAccess(apiCheckers, requested, command);
|
||||
} catch (PermissionDeniedException pde) {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format(
|
||||
"Checking for permission to \"%s\" is irrelevant as it is not requested for %s [%s]",
|
||||
command,
|
||||
requested.getAccountName(),
|
||||
requested.getUuid()
|
||||
)
|
||||
);
|
||||
if (roleAndPermissionsForRequested == null) {
|
||||
apiChecker.checkAccess(caller, command);
|
||||
} else {
|
||||
apiChecker.checkAccess(caller, command, roleAndPermissionsForRequested.first(), roleAndPermissionsForRequested.second());
|
||||
}
|
||||
} catch (PermissionDeniedException pde) {
|
||||
continue;
|
||||
}
|
||||
// so requested can, now make sure caller can as well
|
||||
try {
|
||||
if (logger.isTraceEnabled()) {
|
||||
logger.trace(String.format("permission to \"%s\" is requested",
|
||||
command));
|
||||
if (roleAndPermissionsForCaller == null) {
|
||||
apiChecker.checkAccess(caller, command);
|
||||
} else {
|
||||
apiChecker.checkAccess(caller, command, roleAndPermissionsForCaller.first(), roleAndPermissionsForCaller.second());
|
||||
}
|
||||
checkApiAccess(apiCheckers, caller, command);
|
||||
} catch (PermissionDeniedException pde) {
|
||||
String msg = String.format("User of Account %s and domain %s can not create an account with access to more privileges they have themself.",
|
||||
caller, _domainMgr.getDomain(caller.getDomainId()));
|
||||
|
|
|
|||
|
|
@ -162,7 +162,13 @@ public class VMSchedulerImpl extends ManagerBase implements VMScheduler, Configu
|
|||
}
|
||||
|
||||
Date scheduledDateTime = Date.from(ts.toInstant());
|
||||
VMScheduledJobVO scheduledJob = new VMScheduledJobVO(vmSchedule.getVmId(), vmSchedule.getId(), vmSchedule.getAction(), scheduledDateTime);
|
||||
VMScheduledJobVO scheduledJob = vmScheduledJobDao.findByScheduleAndTimestamp(vmSchedule.getId(), scheduledDateTime);
|
||||
if (scheduledJob != null) {
|
||||
logger.trace("Job is already scheduled for schedule {} at {}", vmSchedule, scheduledDateTime);
|
||||
return scheduledDateTime;
|
||||
}
|
||||
|
||||
scheduledJob = new VMScheduledJobVO(vmSchedule.getVmId(), vmSchedule.getId(), vmSchedule.getAction(), scheduledDateTime);
|
||||
try {
|
||||
vmScheduledJobDao.persist(scheduledJob);
|
||||
ActionEventUtils.onScheduledActionEvent(User.UID_SYSTEM, vm.getAccountId(), actionEventMap.get(vmSchedule.getAction()),
|
||||
|
|
|
|||
|
|
@ -218,18 +218,19 @@ export const notifierPlugin = {
|
|||
if (error.response.status) {
|
||||
msg = `${i18n.global.t('message.request.failed')} (${error.response.status})`
|
||||
}
|
||||
if (error.message) {
|
||||
desc = error.message
|
||||
}
|
||||
if (error.response.headers && 'x-description' in error.response.headers) {
|
||||
if (error.response.headers?.['x-description']) {
|
||||
desc = error.response.headers['x-description']
|
||||
}
|
||||
if (desc === '' && error.response.data) {
|
||||
} else if (error.response.data) {
|
||||
const responseKey = _.findKey(error.response.data, 'errortext')
|
||||
if (responseKey) {
|
||||
desc = error.response.data[responseKey].errortext
|
||||
} else if (typeof error.response.data === 'string') {
|
||||
desc = error.response.data
|
||||
}
|
||||
}
|
||||
if (!desc && error.message) {
|
||||
desc = error.message
|
||||
}
|
||||
}
|
||||
let countNotify = store.getters.countNotify
|
||||
countNotify++
|
||||
|
|
|
|||
|
|
@ -638,11 +638,7 @@ export default {
|
|||
this.$emit('refresh-data')
|
||||
this.closeAction()
|
||||
}).catch(e => {
|
||||
this.$notification.error({
|
||||
message: this.$t('message.upload.failed'),
|
||||
description: `${this.$t('message.upload.template.failed.description')} - ${e}`,
|
||||
duration: 0
|
||||
})
|
||||
this.$notifyError(e)
|
||||
})
|
||||
},
|
||||
fetchCustomHypervisorName () {
|
||||
|
|
|
|||
Loading…
Reference in New Issue