CLOUDSTACK-1418- As regular user , we are not allowed to deploy VM on a shared network.
- Added the access type attribute to @acl - Domainchecker needs the AccessType.UseNetwork value specified to check access to network Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/336d133f Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/336d133f Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/336d133f Branch: refs/heads/noa/packaging_rpm_fixes Commit: 336d133f942127447762328410a3cdcc25016051 Parents: 3e0e929 Author: Prachi Damle <[email protected]> Authored: Wed Feb 27 16:56:14 2013 -0800 Committer: Prachi Damle <[email protected]> Committed: Wed Feb 27 17:19:55 2013 -0800 ---------------------------------------------------------------------- api/src/org/apache/cloudstack/api/ACL.java | 4 +++ .../api/command/user/vm/DeployVMCmd.java | 4 +- server/src/com/cloud/api/ApiDispatcher.java | 20 ++++++++------ 3 files changed, 17 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/api/src/org/apache/cloudstack/api/ACL.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/ACL.java b/api/src/org/apache/cloudstack/api/ACL.java index 3623d1a..ce93b6a 100644 --- a/api/src/org/apache/cloudstack/api/ACL.java +++ b/api/src/org/apache/cloudstack/api/ACL.java @@ -22,10 +22,14 @@ import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; + @Retention(RetentionPolicy.RUNTIME) @Target({ FIELD }) public @interface ACL { + AccessType accessType() default AccessType.ListEntry; + boolean checkKeyAccess() default false; boolean checkValueAccess() default false; } http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java index 0ac6476..21a45f8 100755 --- a/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/vm/DeployVMCmd.java @@ -24,6 +24,7 @@ import java.util.LinkedHashMap; import java.util.List; import java.util.Map; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiConstants; @@ -53,7 +54,6 @@ import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.ResourceAllocationException; import com.cloud.exception.ResourceUnavailableException; import com.cloud.hypervisor.Hypervisor.HypervisorType; -import com.cloud.network.IpAddress; import com.cloud.network.Network; import com.cloud.network.Network.IpAddresses; import com.cloud.offering.DiskOffering; @@ -103,7 +103,7 @@ public class DeployVMCmd extends BaseAsyncCreateCmd { private Long domainId; //Network information - @ACL + @ACL(accessType = AccessType.UseNetwork) @Parameter(name=ApiConstants.NETWORK_IDS, type=CommandType.LIST, collectionType=CommandType.UUID, entityType=NetworkResponse.class, description="list of network ids used by virtual machine. Can't be specified with ipToNetworkList parameter") private List<Long> networkIds; http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/336d133f/server/src/com/cloud/api/ApiDispatcher.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiDispatcher.java b/server/src/com/cloud/api/ApiDispatcher.java index 94abe50..552dea5 100755 --- a/server/src/com/cloud/api/ApiDispatcher.java +++ b/server/src/com/cloud/api/ApiDispatcher.java @@ -24,6 +24,7 @@ import java.text.ParseException; import java.util.ArrayList; import java.util.Calendar; import java.util.Date; +import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -35,6 +36,7 @@ import javax.inject.Inject; import org.apache.cloudstack.acl.ControlledEntity; import org.apache.cloudstack.acl.InfrastructureEntity; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.ApiConstants; import org.apache.cloudstack.api.ApiErrorCode; @@ -87,7 +89,7 @@ public class ApiDispatcher { public ApiDispatcher() { } - + @PostConstruct void init() { s_instance = this; @@ -106,7 +108,7 @@ public class ApiDispatcher { } - private void doAccessChecks(BaseCmd cmd, List<Object> entitiesToAccess) { + private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) { Account caller = UserContext.current().getCaller(); Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId()); @@ -118,9 +120,9 @@ public class ApiDispatcher { if(!entitiesToAccess.isEmpty()){ //check that caller can access the owner account. _accountMgr.checkAccess(caller, null, true, owner); - for(Object entity : entitiesToAccess) { + for (Object entity : entitiesToAccess.keySet()) { if (entity instanceof ControlledEntity) { - _accountMgr.checkAccess(caller, null, true, (ControlledEntity) entity); + _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity); } else if (entity instanceof InfrastructureEntity) { //FIXME: Move this code in adapter, remove code from Account manager @@ -164,11 +166,11 @@ public class ApiDispatcher { @SuppressWarnings({ "unchecked", "rawtypes" }) public static void processParameters(BaseCmd cmd, Map<String, String> params) { - List<Object> entitiesToAccess = new ArrayList<Object>(); + Map<Object, AccessType> entitiesToAccess = new HashMap<Object, AccessType>(); Map<String, Object> unpackedParams = cmd.unpackParams(params); - + cmd = ComponentContext.getTargetObject(cmd); - + if (cmd instanceof BaseListCmd) { Object pageSizeObj = unpackedParams.get(ApiConstants.PAGE_SIZE); Long pageSize = null; @@ -260,7 +262,7 @@ public class ApiDispatcher { List<Long> listParam = (List<Long>) field.get(cmd); for (Long entityId : listParam) { Object entityObj = s_instance._entityMgr.findById(entity, entityId); - entitiesToAccess.add(entityObj); + entitiesToAccess.put(entityObj, checkAccess.accessType()); } break; /* @@ -281,7 +283,7 @@ public class ApiDispatcher { case LONG: case UUID: Object entityObj = s_instance._entityMgr.findById(entity, (Long) field.get(cmd)); - entitiesToAccess.add(entityObj); + entitiesToAccess.put(entityObj, checkAccess.accessType()); break; default: break;
