Updated Branches: refs/heads/rbac ddae23c16 -> aba54356d
http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 9a03590..e78620e 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -344,16 +344,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } @Override - public boolean isRootAdmin(short accountType) { - return (accountType == Account.ACCOUNT_TYPE_ADMIN); + public boolean isRootAdmin(long accountId) { + // refer to account_group_map and check if account is in Root 'Admin' + // group + return false; } public boolean isResourceDomainAdmin(short accountType) { return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN); } - public boolean isInternalAccount(short accountType) { - if (isRootAdmin(accountType) || (accountType == Account.ACCOUNT_ID_SYSTEM)) { + public boolean isInternalAccount(long accountId) { + Account account = _accountDao.findById(accountId); + if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) { return true; } return false; @@ -377,7 +380,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) { // no need to make permission checks if the system/root admin makes the call if (s_logger.isTraceEnabled()) { s_logger.trace("No need to make permission check for System/RootAdmin account, returning true"); @@ -1973,7 +1976,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // return null; } // Whenever the user is able to log in successfully, reset the login attempts to zero - if(!isInternalAccount(userAccount.getType())) + if (!isInternalAccount(userAccount.getId())) updateLoginAttempts(userAccount.getId(), 0, false); return userAccount; @@ -2230,7 +2233,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } else if (!listAll) { if (id == null) { permittedAccounts.add(caller.getId()); - } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + } else if (!isRootAdmin(caller.getId())) { domainIdRecursiveListProject.first(caller.getDomainId()); domainIdRecursiveListProject.second(true); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/user/DomainManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/DomainManagerImpl.java b/server/src/com/cloud/user/DomainManagerImpl.java index b885c48..58e8017 100644 --- a/server/src/com/cloud/user/DomainManagerImpl.java +++ b/server/src/com/cloud/user/DomainManagerImpl.java @@ -431,7 +431,7 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager, Dom } _accountMgr.checkAccess(caller, domain); } else { - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { domainId = caller.getDomainId(); } if (listAll) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/com/cloud/vm/UserVmManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index ea9c540..84c8919 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -1800,7 +1800,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir if (isDisplayVmEnabled == null) { isDisplayVmEnabled = vmInstance.isDisplayVm(); } else{ - if(!_accountMgr.isRootAdmin(caller.getType())){ + if(!_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted "); } } @@ -2471,7 +2471,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir assert !(requestedIps != null && (defaultIps.getIp4Address() != null || defaultIps.getIp6Address() != null)) : "requestedIp list and defaultNetworkIp should never be specified together"; if (Grouping.AllocationState.Disabled == zone.getAllocationState() - && !_accountMgr.isRootAdmin(caller.getType())) { + && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException( "Cannot perform this operation, Zone is currently disabled: " + zone.getId()); @@ -2540,7 +2540,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Root admin has access to both VM and AG by default, // but // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain"); @@ -2551,7 +2551,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Root admin has access to both VM and AG by default, // but // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (ag.getAccountId() != owner.getAccountId()) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); @@ -2776,7 +2776,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } if(isDisplayVmEnabled != null){ - if(!_accountMgr.isRootAdmin(caller.getType())){ + if(!_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted "); } vm.setDisplayVm(isDisplayVmEnabled); @@ -3264,7 +3264,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir Host destinationHost = null; if (hostId != null) { Account account = CallContext.current().getCallingAccount(); - if (!_accountService.isRootAdmin(account.getType())) { + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException( "Parameter hostid can only be specified by a Root Admin, permission denied"); } @@ -3759,7 +3759,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir public VirtualMachine vmStorageMigration(Long vmId, StoragePool destPool) { // access check - only root admin can migrate VM Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -3832,7 +3832,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir ManagementServerException, VirtualMachineMigrationException { // access check - only root admin can migrate VM Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -4162,7 +4162,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir ManagementServerException, VirtualMachineMigrationException { // Access check - only root administrator can migrate VM. Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -4289,7 +4289,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // VV 1: verify the two users Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN + if (!_accountMgr.isRootAdmin(caller.getId()) && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only // root // admin http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java index 8f2caad..9343b22 100644 --- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java +++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java @@ -161,7 +161,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType); - if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getType())) { + if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot create the affinity group"); } @@ -176,7 +176,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro } else if (domainId != null && account == null) { - if (!_accountMgr.isRootAdmin(caller.getType())) { + if (!_accountMgr.isRootAdmin(caller.getId())) { // non root admin need to pass both account and domain throw new InvalidParameterValueException( "Unable to create affinity group, account name must be passed with the domainId"); @@ -484,7 +484,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro _accountMgr.checkAccess(caller, null, true, owner, ag); // Root admin has access to both VM and AG by default, but make sure the // owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (ag.getAccountId() != owner.getAccountId()) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/aba54356/server/test/com/cloud/user/MockAccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index 38cc1a84..7a8e1ee 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -163,7 +163,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } @Override - public boolean isRootAdmin(short accountType) { + public boolean isRootAdmin(long accountId) { // TODO Auto-generated method stub return false; }
