CLOUDSTACK-4337 Dedicated Resources: Zone dedicated to an account should only
be visible and accessible to that account
Changes:
- When listing a zone, add clause in the search to check the account_id for a
dedicated zone
- When listsing a zone with a domainid, add a similar clause.
- DomainCheck:: checkAccess() for a zone should consider that zone can now be
dediacted to a specific account and check access accordingly.
Conflicts:
server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
setup/db/db/schema-410to420.sql
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6a0bda02
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6a0bda02
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6a0bda02
Branch: refs/heads/master
Commit: 6a0bda0280e68dcee30ecb6a87db4e38fd1df744
Parents: 012afce
Author: Prachi Damle <[email protected]>
Authored: Tue Sep 3 13:38:16 2013 -0700
Committer: Prachi Damle <[email protected]>
Committed: Tue Sep 3 20:02:59 2013 -0700
----------------------------------------------------------------------
server/src/com/cloud/acl/DomainChecker.java | 16 +++++++++
.../com/cloud/api/query/QueryManagerImpl.java | 24 +++++++++++--
.../cloud/api/query/vo/DataCenterJoinVO.java | 20 +++++++++++
setup/db/db/schema-410to420.sql | 37 ++++++++++++++++++++
4 files changed, 94 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a0bda02/server/src/com/cloud/acl/DomainChecker.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/acl/DomainChecker.java
b/server/src/com/cloud/acl/DomainChecker.java
index 78ebe6e..7b47bae 100755
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd;
import org.springframework.stereotype.Component;
import com.cloud.dc.DataCenter;
+import com.cloud.dc.DedicatedResourceVO;
+import com.cloud.dc.dao.DedicatedResourceDao;
import com.cloud.domain.Domain;
import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
@@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements
SecurityChecker {
@Inject ProjectManager _projectMgr;
@Inject ProjectAccountDao _projecAccountDao;
@Inject NetworkModel _networkMgr;
+ @Inject
+ private DedicatedResourceDao _dedicatedDao;
protected DomainChecker() {
super();
@@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements
SecurityChecker {
//if account is normal user
//check if account's domain is a child of zone's domain
else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL ||
account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ // if zone is dedicated to an account check that the accountId
+ // matches.
+ DedicatedResourceVO dedicatedZone =
_dedicatedDao.findByZoneId(zone.getId());
+ if (dedicatedZone != null) {
+ if (dedicatedZone.getAccountId() != null) {
+ if (dedicatedZone.getAccountId() == account.getId()) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+ }
if (account.getDomainId() == zone.getDomainId()) {
return true; //zone and account at
exact node
} else {
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a0bda02/server/src/com/cloud/api/query/QueryManagerImpl.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java
b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 2e716bc..a2a57fa 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -2499,11 +2499,21 @@ public class QueryManagerImpl extends ManagerBase
implements QueryService {
* List all resources due to Explicit Dedication except the
* dedicated resources of other account
*/
- if (domainId != null && account.getType() ==
Account.ACCOUNT_TYPE_ADMIN) { //
+ if (domainId != null) { //
// for domainId != null // right now, we made the decision to
- // only
- // / list zones associated // with this domain, private zone
+ // only list zones associated // with this domain, private zone
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
+
+ if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+ // accountId == null (zones dedicated to a domain) or
+ // accountId = caller
+ SearchCriteria<DataCenterJoinVO> sdc =
_dcJoinDao.createSearchCriteria();
+ sdc.addOr("accountId", SearchCriteria.Op.EQ,
account.getId());
+ sdc.addOr("accountId", SearchCriteria.Op.NULL);
+
+ sc.addAnd("account", SearchCriteria.Op.SC, sdc);
+ }
+
} else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
// it was decided to return all zones for the user's domain,
and
// everything above till root
@@ -2535,6 +2545,14 @@ public class QueryManagerImpl extends ManagerBase
implements QueryService {
// remove disabled zones
sc.addAnd("allocationState", SearchCriteria.Op.NEQ,
Grouping.AllocationState.Disabled);
+ // accountId == null (zones dedicated to a domain) or
+ // accountId = caller
+ SearchCriteria<DataCenterJoinVO> sdc2 =
_dcJoinDao.createSearchCriteria();
+ sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+ sdc2.addOr("accountId", SearchCriteria.Op.NULL);
+
+ sc.addAnd("account", SearchCriteria.Op.SC, sdc2);
+
// remove Dedicated zones not dedicated to this domainId or
// subdomainId
List<Long> dedicatedZoneIds =
removeDedicatedZoneNotSuitabe(domainIds);
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a0bda02/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
----------------------------------------------------------------------
diff --git a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
index 84becf2..c6a80e7 100644
--- a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
@@ -108,6 +108,15 @@ public class DataCenterJoinVO extends BaseViewVO
implements InternalIdentity, Id
@Column(name="domain_path")
private String domainPath;
+ @Column(name = "affinity_group_id")
+ private long affinityGroupId;
+
+ @Column(name = "affinity_group_uuid")
+ private String affinityGroupUuid;
+
+ @Column(name = "account_id")
+ private long accountId;
+
public DataCenterJoinVO() {
}
@@ -303,4 +312,15 @@ public class DataCenterJoinVO extends BaseViewVO
implements InternalIdentity, Id
}
+ public String getAffinityGroupUuid() {
+ return affinityGroupUuid;
+ }
+
+ public long getAccountId() {
+ return accountId;
+ }
+
+ public void setAccountId(long accountId) {
+ this.accountId = accountId;
+ }
}
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6a0bda02/setup/db/db/schema-410to420.sql
----------------------------------------------------------------------
diff --git a/setup/db/db/schema-410to420.sql b/setup/db/db/schema-410to420.sql
index 5887caa..0180e50 100644
--- a/setup/db/db/schema-410to420.sql
+++ b/setup/db/db/schema-410to420.sql
@@ -2338,3 +2338,40 @@ CREATE TABLE `cloud`.`ldap_configuration` (
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+DROP VIEW IF EXISTS `cloud`.`data_center_view`;
+CREATE VIEW `cloud`.`data_center_view` AS
+ select
+ data_center.id,
+ data_center.uuid,
+ data_center.name,
+ data_center.is_security_group_enabled,
+ data_center.is_local_storage_enabled,
+ data_center.description,
+ data_center.dns1,
+ data_center.dns2,
+ data_center.ip6_dns1,
+ data_center.ip6_dns2,
+ data_center.internal_dns1,
+ data_center.internal_dns2,
+ data_center.guest_network_cidr,
+ data_center.domain,
+ data_center.networktype,
+ data_center.allocation_state,
+ data_center.zone_token,
+ data_center.dhcp_provider,
+ data_center.removed,
+ domain.id domain_id,
+ domain.uuid domain_uuid,
+ domain.name domain_name,
+ domain.path domain_path,
+ dedicated_resources.affinity_group_id,
+ dedicated_resources.account_id,
+ affinity_group.uuid affinity_group_uuid
+ from
+ `cloud`.`data_center`
+ left join
+ `cloud`.`domain` ON data_center.domain_id = domain.id
+ left join
+ `cloud`.`dedicated_resources` ON data_center.id =
dedicated_resources.data_center_id
+ left join
+ `cloud`.`affinity_group` ON dedicated_resources.affinity_group_id =
affinity_group.id;
