CLOUDSTACK-6501:IAM - DomainAdmin - When listVirtualMachines is used with listall=true and account and domainId , Vms owned by the account account is not listed.
Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/6af1a291 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/6af1a291 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/6af1a291 Branch: refs/heads/master Commit: 6af1a2919bfd91cdc722a400d926b7c25fc76200 Parents: 9514c9e Author: Min Chen <min.c...@citrix.com> Authored: Thu Apr 24 18:13:59 2014 -0700 Committer: Min Chen <min.c...@citrix.com> Committed: Mon Apr 28 11:11:27 2014 -0700 ---------------------------------------------------------------------- server/src/com/cloud/user/AccountManagerImpl.java | 6 +++++- .../apache/cloudstack/iam/RoleBasedEntityQuerySelector.java | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6af1a291/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index d265816..d7db6c2 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -2276,7 +2276,11 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M if (accountId != null) { // specific account filter is specified - if (grantedAccounts.contains(accountId)) { + if (grantedDomains.contains(domainId)) { + // the account domain is granted to the caller + permittedAccounts.add(accountId); + } + else if (grantedAccounts.contains(accountId)) { permittedAccounts.add(accountId); } else { //TODO: we should also filter granted resources based on accountId passed. http://git-wip-us.apache.org/repos/asf/cloudstack/blob/6af1a291/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java index 40c8549..b7c3d35 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityQuerySelector.java @@ -73,8 +73,8 @@ public class RoleBasedEntityQuerySelector extends AdapterBase implements QuerySe domainId = p.getScopeId(); //domainIds.add(p.getScopeId()); } - domainIds.add(domainId); - // add all the domain children from this domain. Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that + //domainIds.add(domainId); + // add all the domain children from this domain (including this domain itself). Like RoleBasedEntityAccessChecker, we made an assumption, if DOMAIN scope is granted, it means that // the whole domain tree is granted access. DomainVO domain = _domainDao.findById(domainId); List<Long> childDomains = _domainDao.getDomainChildrenIds(domain.getPath());
