Updated Branches: refs/heads/master 7cae8ca23 -> 1851f7f7f
CLOUDSTACK-2365: Anti-Affinity - As admin , we are allowed to deploy a Vm in an affinity group that belongs to different user. CLOUDSTACK-2349: Anti-Affinity - As admin user , using updateVMAffinityGroup() , we are allowed to update the affinity group of a Vm (that belongs to a regular user) to be set to admin's affinity group. Changes: - Even for root-admin make sure that the affinity group and the VM belong to same account Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/1851f7f7 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/1851f7f7 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/1851f7f7 Branch: refs/heads/master Commit: 1851f7f7f6bb4bcf3521ea44c51e9506cb86a72d Parents: 7cae8ca Author: Prachi Damle <pra...@cloud.com> Authored: Fri May 17 15:32:21 2013 -0700 Committer: Prachi Damle <pra...@cloud.com> Committed: Fri May 17 15:33:01 2013 -0700 ---------------------------------------------------------------------- server/src/com/cloud/vm/UserVmManagerImpl.java | 8 ++++++++ .../affinity/AffinityGroupServiceImpl.java | 9 +++++++++ 2 files changed, 17 insertions(+), 0 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1851f7f7/server/src/com/cloud/vm/UserVmManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 860daaf..05ff6aa 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -2366,6 +2366,14 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use } else { // verify permissions _accountMgr.checkAccess(caller, null, true, owner, ag); + // Root admin has access to both VM and AG by default, but + // make sure the owner of these entities is same + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (ag.getAccountId() != owner.getAccountId()) { + throw new PermissionDeniedException("Affinity Group " + ag + + " does not belong to the VM's account"); + } + } } } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/1851f7f7/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java index fc2cfcf..efe18c3 100644 --- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java +++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java @@ -36,6 +36,7 @@ import com.cloud.deploy.DeploymentPlanner; import com.cloud.event.ActionEvent; import com.cloud.event.EventTypes; import com.cloud.exception.InvalidParameterValueException; +import com.cloud.exception.PermissionDeniedException; import com.cloud.exception.ResourceInUseException; import com.cloud.network.security.SecurityGroup; import com.cloud.user.Account; @@ -332,6 +333,14 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro } else { // verify permissions _accountMgr.checkAccess(caller, null, true, owner, ag); + // Root admin has access to both VM and AG by default, but make sure the + // owner of these entities is same + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (ag.getAccountId() != owner.getAccountId()) { + throw new PermissionDeniedException("Affinity Group " + ag + + " does not belong to the VM's account"); + } + } } } _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);
