Repository: cloudstack Updated Branches: refs/heads/4.4 406c289d1 -> ba5500213
CLOUDSTACK-6428:IAM - Domain Admin - When his sub-domainId is passed to the listVirtualMachine command, Vms from all the domains are being listed. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ba550021 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ba550021 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ba550021 Branch: refs/heads/4.4 Commit: ba55002132ebda2992c28d195feb2327d5f7f3b4 Parents: 406c289 Author: Min Chen <min.c...@citrix.com> Authored: Wed Apr 16 10:09:49 2014 -0700 Committer: Min Chen <min.c...@citrix.com> Committed: Wed Apr 16 10:10:45 2014 -0700 ---------------------------------------------------------------------- .../iam/RoleBasedEntityQuerySelector.java | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ba550021/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java index a569403..40c8549 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java @@ -31,6 +31,8 @@ import org.apache.cloudstack.iam.api.IAMPolicy; import org.apache.cloudstack.iam.api.IAMPolicyPermission; import org.apache.cloudstack.iam.api.IAMService; +import com.cloud.domain.DomainVO; +import com.cloud.domain.dao.DomainDao; import com.cloud.user.Account; import com.cloud.utils.component.AdapterBase; @@ -40,6 +42,8 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe @Inject IAMService _iamService; + @Inject + DomainDao _domainDao; @Override public List<Long> getAuthorizedDomains(Account caller, String action, AccessType accessType) { @@ -61,11 +65,23 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe if (pp != null) { for (IAMPolicyPermission p : pp) { if (p.getScopeId() != null) { + Long domainId = null; if (p.getScopeId().longValue() == -1) { - domainIds.add(caller.getDomainId()); + domainId = caller.getDomainId(); + //domainIds.add(caller.getDomainId()); } else { - domainIds.add(p.getScopeId()); + domainId = p.getScopeId(); + //domainIds.add(p.getScopeId()); + } + domainIds.add(domainId); + // add all the domain children from this domain. Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that + // the whole domain tree is granted access. + DomainVO domain = _domainDao.findById(domainId); + List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath()); + if (childDomains != null && childDomains.size() > 0) { + domainIds.addAll(childDomains); } + } } }
