[GitHub] sureshanaparti commented on a change in pull request #2042: CLOUDSTACK-9875: Unable to re-apply Explicit dedication to VM

[git]

sureshanaparti commented on a change in pull request #2042: CLOUDSTACK-9875: 
Unable to re-apply Explicit dedication to VM
URL: https://github.com/apache/cloudstack/pull/2042#discussion_r117737324
 
 

 ##########
 File path: 
server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
 ##########
 @@ -432,12 +432,25 @@ public UserVm updateVMAffinityGroups(Long vmId, 
List<Long> affinityGroupIds) {
                 throw new InvalidParameterValueException("Unable to find 
affinity group by id " + affinityGroupId);
             } else {
                 // verify permissions
-                _accountMgr.checkAccess(caller, null, true, owner, ag);
-                // Root admin has access to both VM and AG by default, but 
make sure the
-                // owner of these entities is same
-                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || 
_accountMgr.isRootAdmin(caller.getId())) {
-                    if (ag.getAccountId() != owner.getAccountId()) {
-                        throw new PermissionDeniedException("Affinity Group " 
+ ag + " does not belong to the VM's account");
+                if (ag.getAclType() == ACLType.Domain) {
+                    _accountMgr.checkAccess(caller, null, false, owner, ag);
+                    // Root admin has access to both VM and AG by default,
+                    // but
+                    // make sure the owner of these entities is same
+                    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || 
_accountMgr.isRootAdmin(caller.getId())) {
+                        if (!isAffinityGroupAvailableInDomain(ag.getId(), 
owner.getDomainId())) {
+                            throw new PermissionDeniedException("Affinity 
Group " + ag + " does not belong to the VM's domain");
+                        }
+                    }
+                } else {
+                    _accountMgr.checkAccess(caller, null, true, owner, ag);
+                    // Root admin has access to both VM and AG by default,
+                    // but
+                    // make sure the owner of these entities is same
+                    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || 
_accountMgr.isRootAdmin(caller.getId())) {
+                        if (ag.getAccountId() != owner.getAccountId()) {
+                            throw new PermissionDeniedException("Affinity 
Group " + ag + " does not belong to the VM's account");
+                        }
                     }
                 }
             }
 
 Review comment:
   Code LGTM
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services