rhtyd commented on a change in pull request #3248: [WIP DO NOT MERGE] server:
offerings for specified domain(s) and zone(s)
URL: https://github.com/apache/cloudstack/pull/3248#discussion_r288925988
##########
File path: server/src/main/java/com/cloud/acl/DomainChecker.java
##########
@@ -167,81 +182,155 @@ public boolean checkAccess(User user, ControlledEntity
entity) throws Permission
}
@Override
- public boolean checkAccess(Account account, DiskOffering dof) throws
PermissionDeniedException {
- if (account == null || dof == null || dof.getDomainId() == null)
{//public offering
- return true;
+ public boolean checkAccess(Account account, DiskOffering dof, DataCenter
zone) throws PermissionDeniedException {
+ boolean isAccess = false;
+ // Check fo domains
+ if (account == null || dof == null) {
+ isAccess = true;
} else {
//admin has all permissions
if (_accountService.isRootAdmin(account.getId())) {
- return true;
+ isAccess = true;
}
//if account is normal user or domain admin
- //check if account's domain is a child of zone's domain (Note:
This is made consistent with the list command for disk offering)
+ //check if account's domain is a child of offering's domain (Note:
This is made consistent with the list command for disk offering)
else if (_accountService.isNormalUser(account.getId())
|| account.getType() ==
Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
|| _accountService.isDomainAdmin(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- if (account.getDomainId() == dof.getDomainId()) {
- return true; //disk offering and account at exact node
+ final List<Long> doDomainIds =
diskOfferingDetailsDao.findDomainIds(dof.getId());
+ if (doDomainIds.isEmpty()) {
+ isAccess = true;
} else {
- Domain domainRecord =
_domainDao.findById(account.getDomainId());
- if (domainRecord != null) {
- while (true) {
- if (domainRecord.getId() == dof.getDomainId()) {
- //found as a child
- return true;
- }
- if (domainRecord.getParent() != null) {
- domainRecord =
_domainDao.findById(domainRecord.getParent());
- } else {
- break;
- }
+ for (Long domainId : doDomainIds) {
+ if (_domainDao.isChildDomain(domainId,
account.getDomainId())) {
+ isAccess = true;
+ break;
}
}
}
}
}
- //not found
- return false;
+ // Check for zones
+ if (isAccess && dof != null && zone != null) {
+ final List<Long> doZoneIds =
diskOfferingDetailsDao.findZoneIds(dof.getId());
+ isAccess = doZoneIds.isEmpty() || doZoneIds.contains(zone.getId());
+ }
+ return isAccess;
}
@Override
- public boolean checkAccess(Account account, ServiceOffering so) throws
PermissionDeniedException {
- if (account == null || so.getDomainId() == null) {//public offering
- return true;
+ public boolean checkAccess(Account account, ServiceOffering so, DataCenter
zone) throws PermissionDeniedException {
+ boolean isAccess = false;
+ // Check fo domains
+ if (account == null || so == null) {
+ isAccess = true;
} else {
//admin has all permissions
if (_accountService.isRootAdmin(account.getId())) {
- return true;
+ isAccess = true;
}
//if account is normal user or domain admin
- //check if account's domain is a child of zone's domain (Note:
This is made consistent with the list command for service offering)
+ //check if account's domain is a child of offering's domain (Note:
This is made consistent with the list command for service offering)
else if (_accountService.isNormalUser(account.getId())
|| account.getType() ==
Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
|| _accountService.isDomainAdmin(account.getId())
|| account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
- if (account.getDomainId() == so.getDomainId()) {
- return true; //service offering and account at exact node
+ final List<Long> soDomainIds =
serviceOfferingDetailsDao.findDomainIds(so.getId());
+ if (soDomainIds.isEmpty()) {
+ isAccess = true;
} else {
- Domain domainRecord =
_domainDao.findById(account.getDomainId());
- if (domainRecord != null) {
- while (true) {
- if (domainRecord.getId() == so.getDomainId()) {
- //found as a child
- return true;
- }
- if (domainRecord.getParent() != null) {
- domainRecord =
_domainDao.findById(domainRecord.getParent());
- } else {
- break;
- }
+ for (Long domainId : soDomainIds) {
+ if (_domainDao.isChildDomain(domainId,
account.getDomainId())) {
+ isAccess = true;
+ break;
}
}
}
}
}
- //not found
- return false;
+ // Check for zones
+ if (isAccess && so != null && zone != null) {
+ final List<Long> soZoneIds =
serviceOfferingDetailsDao.findZoneIds(so.getId());
+ isAccess = soZoneIds.isEmpty() || soZoneIds.contains(zone.getId());
+ }
+ return isAccess;
+ }
+
+ @Override
+ public boolean checkAccess(Account account, NetworkOffering nof,
DataCenter zone) throws PermissionDeniedException {
+ boolean isAccess = false;
+ // Check fo domains
+ if (account == null || nof == null) {
+ isAccess = true;
+ } else {
+ //admin has all permissions
+ if (_accountService.isRootAdmin(account.getId())) {
+ isAccess = true;
+ }
+ //if account is normal user or domain admin
+ //check if account's domain is a child of offering's domain (Note:
This is made consistent with the list command for disk offering)
+ else if (_accountService.isNormalUser(account.getId())
+ || account.getType() ==
Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
+ || _accountService.isDomainAdmin(account.getId())
+ || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+ final List<Long> noDomainIds =
networkOfferingDetailsDao.findDomainIds(nof.getId());
+ if (noDomainIds.isEmpty()) {
+ isAccess = true;
+ } else {
+ for (Long domainId : noDomainIds) {
+ if (_domainDao.isChildDomain(domainId,
account.getDomainId())) {
+ isAccess = true;
+ break;
+ }
+ }
+ }
+ }
+ }
+ // Check for zones
+ if (isAccess && nof != null && zone != null) {
+ final List<Long> doZoneIds =
networkOfferingDetailsDao.findZoneIds(nof.getId());
+ isAccess = doZoneIds.isEmpty() || doZoneIds.contains(zone.getId());
+ }
+ return isAccess;
+ }
+
+ @Override
+ public boolean checkAccess(Account account, VpcOffering vof, DataCenter
zone) throws PermissionDeniedException {
+ boolean isAccess = false;
Review comment:
same as above
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
