Repository: cloudstack Updated Branches: refs/heads/rbac 99bdc8d87 -> d9696b26e
After merge, fix isRootAdmin() calls to use accountId instead of type Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d9696b26 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d9696b26 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d9696b26 Branch: refs/heads/rbac Commit: d9696b26e101af6596b60bc3d22b01acf9e88677 Parents: 99bdc8d Author: Prachi Damle <[email protected]> Authored: Thu Mar 13 13:27:04 2014 -0700 Committer: Prachi Damle <[email protected]> Committed: Thu Mar 13 13:28:40 2014 -0700 ---------------------------------------------------------------------- api/src/com/cloud/user/AccountService.java | 4 +- .../com/cloud/api/query/QueryManagerImpl.java | 2 +- .../deploy/DeploymentPlanningManagerImpl.java | 2 +- .../com/cloud/network/NetworkServiceImpl.java | 2 +- .../com/cloud/storage/VolumeApiServiceImpl.java | 2 +- .../src/com/cloud/user/AccountManagerImpl.java | 45 +++++++++++--------- .../com/cloud/uuididentity/UUIDManagerImpl.java | 2 +- .../com/cloud/user/MockAccountManagerImpl.java | 5 ++- .../iam/RoleBasedEntityAccessChecker.java | 3 ++ 9 files changed, 37 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/api/src/com/cloud/user/AccountService.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 85c71ca..7e37b38 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java @@ -88,9 +88,9 @@ public interface AccountService { User getUserIncludingRemoved(long userId); - boolean isRootAdmin(long accountId); + boolean isRootAdmin(Long accountId); - boolean isDomainAdmin(long accountId); + boolean isDomainAdmin(Long accountId); boolean isNormalUser(long accountId); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 0554e3a..b932d42 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -520,7 +520,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); // For end users display only enabled events - if(!_accountMgr.isRootAdmin(caller.getType())){ + if (!_accountMgr.isRootAdmin(caller.getId())) { sc.setParameters("displayEvent", true); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java index 74c141e..c1f336c 100644 --- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java +++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java @@ -508,7 +508,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy // check if zone is dedicated. if yes check if vm owner has acess to it. DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId()); - if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) { + if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getId())) { long accountDomainId = vmProfile.getOwner().getDomainId(); long accountId = vmProfile.getOwner().getAccountId(); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/network/NetworkServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java index be95a36..9185d84 100755 --- a/server/src/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/com/cloud/network/NetworkServiceImpl.java @@ -1805,7 +1805,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { // Perform permission check _accountMgr.checkAccess(caller, null, true, network); - if (forced && !_accountMgr.isRootAdmin(caller.getType())) { + if (forced && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/storage/VolumeApiServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java index 5ce07f0..30b5479 100644 --- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java +++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java @@ -386,7 +386,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic if (displayVolume == null) { displayVolume = true; } else { - if (!_accountMgr.isRootAdmin(caller.getType())) { + if (!_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted "); } } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 04d3e23..1b68b0c 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -366,37 +366,40 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } @Override - public boolean isRootAdmin(long accountId) { - AccountVO acct = _accountDao.findById(accountId); - for (SecurityChecker checker : _securityCheckers) { - try { - if (checker.checkAccess(acct, null, null, "SystemCapability")) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + public boolean isRootAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + for (SecurityChecker checker : _securityCheckers) { + try { + if (checker.checkAccess(acct, null, null, "SystemCapability")) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + } + return true; } - return true; + } catch (PermissionDeniedException ex) { + return false; } - } catch (PermissionDeniedException ex) { - return false; } } - return false; } @Override - public boolean isDomainAdmin(long accountId) { - AccountVO acct = _accountDao.findById(accountId); - for (SecurityChecker checker : _securityCheckers) { - try { - if (checker.checkAccess(acct, null, null, "DomainCapability")) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + public boolean isDomainAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + for (SecurityChecker checker : _securityCheckers) { + try { + if (checker.checkAccess(acct, null, null, "DomainCapability")) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + } + return true; } - return true; + } catch (PermissionDeniedException ex) { + return false; } - } catch (PermissionDeniedException ex) { - return false; } } return false; http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/src/com/cloud/uuididentity/UUIDManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java index c514746..a1d1452 100644 --- a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java +++ b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java @@ -50,7 +50,7 @@ public class UUIDManagerImpl implements UUIDManager { Account caller = CallContext.current().getCallingAccount(); // Only admin and system allowed to do this - if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))) { + if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) { throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/server/test/com/cloud/user/MockAccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index b411b18..f373cba 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -162,7 +162,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } @Override - public boolean isRootAdmin(long accountId) { + public boolean isRootAdmin(Long accountId) { // TODO Auto-generated method stub return false; } @@ -298,7 +298,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } @Override - public boolean isDomainAdmin(long accountId) { + public boolean isDomainAdmin(Long accountId) { // TODO Auto-generated method stub return false; } @@ -356,4 +356,5 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco return null; } + } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d9696b26/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java index 02bb702..3fe854a 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java @@ -63,6 +63,9 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException { + if (caller == null) { + throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!"); + } if (entity == null && action != null) { // check if caller can do this action List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
