CLOUDSTACK-6349: IAM - No error message presented to the user , when invalid password is provided.
- AccountManager now works using accountId instead of accountType in following methods too: - isResourceDomainAdmin() - isAdmin() Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/9514c9e0 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/9514c9e0 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/9514c9e0 Branch: refs/heads/master Commit: 9514c9e0455d69988b1cd2f79d0b276fc1ebcc04 Parents: 7971694 Author: Prachi Damle <pra...@cloud.com> Authored: Mon Apr 28 11:10:50 2014 -0700 Committer: Min Chen <min.c...@citrix.com> Committed: Mon Apr 28 11:10:50 2014 -0700 ---------------------------------------------------------------------- api/src/com/cloud/user/AccountService.java | 2 +- .../api/command/admin/user/CreateUserCmd.java | 2 +- .../affinitygroup/CreateAffinityGroupCmd.java | 2 +- .../affinitygroup/DeleteAffinityGroupCmd.java | 2 +- .../api/command/user/iso/ListIsosCmd.java | 2 +- .../user/resource/UpdateResourceCountCmd.java | 2 +- .../securitygroup/CreateSecurityGroupCmd.java | 2 +- .../command/user/ssh/DeleteSSHKeyPairCmd.java | 2 +- .../command/user/template/ListTemplatesCmd.java | 2 +- .../user/volume/ListResourceDetailsCmd.java | 2 +- .../contrail/management/MockAccountManager.java | 2 +- server/src/com/cloud/acl/DomainChecker.java | 4 ++ server/src/com/cloud/api/ApiDBUtils.java | 2 +- .../com/cloud/api/query/QueryManagerImpl.java | 6 +-- .../api/query/dao/TemplateJoinDaoImpl.java | 2 +- .../com/cloud/network/NetworkServiceImpl.java | 4 +- .../resourcelimit/ResourceLimitManagerImpl.java | 2 +- .../storage/snapshot/SnapshotManagerImpl.java | 2 +- .../com/cloud/template/TemplateAdapterBase.java | 2 +- .../com/cloud/template/TemplateManagerImpl.java | 4 +- .../src/com/cloud/user/AccountManagerImpl.java | 41 +++++++++++++++----- server/src/com/cloud/vm/UserVmManagerImpl.java | 2 +- .../com/cloud/user/MockAccountManagerImpl.java | 2 +- .../api/command/iam/CreateIAMGroupCmd.java | 2 +- .../api/command/iam/CreateIAMPolicyCmd.java | 2 +- 25 files changed, 63 insertions(+), 36 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/com/cloud/user/AccountService.java ---------------------------------------------------------------------- diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 4b5dc36..71136bf 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java @@ -74,7 +74,7 @@ public interface AccountService { User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID); - boolean isAdmin(short accountType); + boolean isAdmin(Long accountId); Account finalizeOwner(Account caller, String accountName, Long domainId, Long projectId); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java b/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java index 51e218d..8f223ac 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java @@ -131,7 +131,7 @@ public class CreateUserCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java index c30e528..96d8bec 100644 --- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java @@ -102,7 +102,7 @@ public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java index 945592b..21c2fa8 100644 --- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java @@ -110,7 +110,7 @@ public class DeleteAffinityGroupCmd extends BaseAsyncCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java b/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java index 3aabf92..88e4326 100644 --- a/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java @@ -121,7 +121,7 @@ public class ListIsosCmd extends BaseListTaggedResourcesCmd { public boolean listInReadyState() { Account account = CallContext.current().getCallingAccount(); // It is account specific if account is admin type and domainId and accountName are not null - boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null); + boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getId())) && (getAccountName() != null) && (getDomainId() != null); // Show only those that are downloaded. TemplateFilter templateFilter = TemplateFilter.valueOf(getIsoFilter()); boolean onlyReady = http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java b/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java index 5a41749..81d725b 100644 --- a/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java @@ -106,7 +106,7 @@ public class UpdateResourceCountCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java index b5758ca..d3d35bc 100644 --- a/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java @@ -97,7 +97,7 @@ public class CreateSecurityGroupCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java b/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java index 0709686..9258587 100644 --- a/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java @@ -93,7 +93,7 @@ public class DeleteSSHKeyPairCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java b/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java index 249aa0e..7a2a158 100644 --- a/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java @@ -103,7 +103,7 @@ public class ListTemplatesCmd extends BaseListTaggedResourcesCmd { Account account = CallContext.current().getCallingAccount(); // It is account specific if account is admin type and domainId and accountName are not null - boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null); + boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getId())) && (getAccountName() != null) && (getDomainId() != null); // Show only those that are downloaded. TemplateFilter templateFilter = TemplateFilter.valueOf(getTemplateFilter()); boolean onlyReady = http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/api/src/org/apache/cloudstack/api/command/user/volume/ListResourceDetailsCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/ListResourceDetailsCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/ListResourceDetailsCmd.java index 93dc29d..afbfb99 100644 --- a/api/src/org/apache/cloudstack/api/command/user/volume/ListResourceDetailsCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/volume/ListResourceDetailsCmd.java @@ -80,7 +80,7 @@ public class ListResourceDetailsCmd extends BaseListProjectAndAccountResourcesCm List<ResourceDetailResponse> resourceDetailResponse = _queryService.listResourceDetails(this); response.setResponses(resourceDetailResponse); response.setResponseName(getCommandName()); - this.setResponseObject(response); + setResponseObject(response); } public ResourceTag.ResourceObjectType getResourceType() { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java ---------------------------------------------------------------------- diff --git a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java index 1b4b96e..e9bbc8e 100644 --- a/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java +++ b/plugins/network-elements/juniper-contrail/test/org/apache/cloudstack/network/contrail/management/MockAccountManager.java @@ -165,7 +165,7 @@ public class MockAccountManager extends ManagerBase implements AccountManager { } @Override - public boolean isAdmin(short arg0) { + public boolean isAdmin(Long accountId) { // TODO Auto-generated method stub return false; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/acl/DomainChecker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index da39f51..9ee65db 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -350,6 +350,10 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { return true; } + } else if (action != null && ("DomainResourceCapability".equals(action))) { + if (caller != null && caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { + return true; + } } return checkAccess(caller, entity, accessType); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/api/ApiDBUtils.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java index 67e47f7..2da107f 100755 --- a/server/src/com/cloud/api/ApiDBUtils.java +++ b/server/src/com/cloud/api/ApiDBUtils.java @@ -1829,7 +1829,7 @@ public class ApiDBUtils { } public static boolean isAdmin(Account account) { - return s_accountService.isAdmin(account.getType()); + return s_accountService.isAdmin(account.getId()); } public static List<ResourceTagJoinVO> listResourceTagViewByResourceUUID(String resourceUUID, ResourceObjectType resourceType) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/api/query/QueryManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index a007a07..dcb32a9 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -777,7 +777,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Object keyword = cmd.getKeyword(); boolean isAdmin = false; boolean isRootAdmin = false; - if (_accountMgr.isAdmin(caller.getType())) { + if (_accountMgr.isAdmin(caller.getId())) { isAdmin = true; } if (_accountMgr.isRootAdmin(caller.getId())) { @@ -1279,7 +1279,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { sb.select(null, Func.DISTINCT, sb.entity().getId()); // select distinct // ids - if (_accountMgr.isAdmin(caller.getType())) { + if (_accountMgr.isAdmin(caller.getId())) { if (domainId != null) { DomainVO domain = _domainDao.findById(domainId); if (domain == null) { @@ -1483,7 +1483,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // verify permissions - only accounts belonging to the project can list // project's account - if (!_accountMgr.isAdmin(caller.getType()) && _projectAccountDao.findByProjectIdAccountId(projectId, caller.getAccountId()) == null) { + if (!_accountMgr.isAdmin(caller.getId()) && _projectAccountDao.findByProjectIdAccountId(projectId, caller.getAccountId()) == null) { throw new PermissionDeniedException("Account " + caller + " is not authorized to list users of the project id=" + projectId); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java index 1cab6e8..80ef0f6 100644 --- a/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/TemplateJoinDaoImpl.java @@ -302,7 +302,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im Account caller = CallContext.current().getCallingAccount(); boolean isAdmin = false; - if ((caller == null) || _accountService.isAdmin(caller.getType())) { + if ((caller == null) || _accountService.isAdmin(caller.getId())) { isAdmin = true; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/network/NetworkServiceImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java index 696d853..6cd5cf8 100755 --- a/server/src/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/com/cloud/network/NetworkServiceImpl.java @@ -1085,14 +1085,14 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } // Only Admin can create Shared networks - if (ntwkOff.getGuestType() == GuestType.Shared && !_accountMgr.isAdmin(caller.getType())) { + if (ntwkOff.getGuestType() == GuestType.Shared && !_accountMgr.isAdmin(caller.getId())) { throw new InvalidParameterValueException("Only Admins can create network with guest type " + GuestType.Shared); } // Check if the network is domain specific if (aclType == ACLType.Domain) { // only Admin can create domain with aclType=Domain - if (!_accountMgr.isAdmin(caller.getType())) { + if (!_accountMgr.isAdmin(caller.getId())) { throw new PermissionDeniedException("Only admin can create networks with aclType=Domain"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java index 85ebe0a..2b5d976 100755 --- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java +++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java @@ -458,7 +458,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim List<ResourceLimitVO> limits = new ArrayList<ResourceLimitVO>(); boolean isAccount = true; - if (!_accountMgr.isAdmin(caller.getType())) { + if (!_accountMgr.isAdmin(caller.getId())) { accountId = caller.getId(); domainId = null; } else { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java index c22e148..d19a0ed 100755 --- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java +++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java @@ -769,7 +769,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, if (account != null) { long volAcctId = volume.getAccountId(); - if (_accountMgr.isAdmin(account.getType())) { + if (_accountMgr.isAdmin(account.getId())) { Account userAccount = _accountDao.findById(Long.valueOf(volAcctId)); if (!_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) { throw new PermissionDeniedException("Unable to list snapshot schedule for volume " + volumeId + ", permission denied."); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/template/TemplateAdapterBase.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java index c84132d..cb38075 100755 --- a/server/src/com/cloud/template/TemplateAdapterBase.java +++ b/server/src/com/cloud/template/TemplateAdapterBase.java @@ -320,7 +320,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat private Long accountAndUserValidation(Account account, long userId, UserVmVO vmInstanceCheck, VMTemplateVO template, String msg) throws PermissionDeniedException { if (account != null) { - if (!_accountMgr.isAdmin(account.getType())) { + if (!_accountMgr.isAdmin(account.getId())) { if ((vmInstanceCheck != null) && (account.getId() != vmInstanceCheck.getAccountId())) { throw new PermissionDeniedException(msg + ". Permission denied."); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/template/TemplateManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index 0a32c8e..ead841f 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -1218,7 +1218,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new InvalidParameterValueException("unable to update permissions for " + mediaType + " with id " + id); } - boolean isAdmin = _accountMgr.isAdmin(caller.getType()); + boolean isAdmin = _accountMgr.isAdmin(caller.getId()); // check configuration parameter(allow.public.user.templates) value for // the template owner boolean allowPublicUserTemplates = AllowPublicUserTemplates.valueIn(template.getAccountId()); @@ -1485,7 +1485,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, Long userId = CallContext.current().getCallingUserId(); Account caller = CallContext.current().getCallingAccount(); - boolean isAdmin = (_accountMgr.isAdmin(caller.getType())); + boolean isAdmin = (_accountMgr.isAdmin(caller.getId())); _accountMgr.checkAccess(caller, null, templateOwner); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index c28ff7d..d265816 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -353,9 +353,17 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } @Override - public boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); + public boolean isAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + if ((isRootAdmin(accountId)) || (isDomainAdmin(accountId)) || (isResourceDomainAdmin(accountId))) { + return true; + } else if (acct.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) { + return true; + } + + } + return false; } @Override @@ -386,7 +394,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M try { if (checker.checkAccess(acct, null, null, "DomainCapability")) { if (s_logger.isDebugEnabled()) { - s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + s_logger.debug("DomainAdmin Access granted to " + acct + " by " + checker.getName()); } return true; } @@ -407,8 +415,23 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M return false; } - public boolean isResourceDomainAdmin(short accountType) { - return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN); + public boolean isResourceDomainAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + for (SecurityChecker checker : _securityCheckers) { + try { + if (checker.checkAccess(acct, null, null, "DomainResourceCapability")) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("ResourceDomainAdmin Access granted to " + acct + " by " + checker.getName()); + } + return true; + } + } catch (PermissionDeniedException ex) { + return false; + } + } + } + return false; } public boolean isInternalAccount(long accountId) { @@ -476,7 +499,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Override public Long checkAccessAndSpecifyAuthority(Account caller, Long zoneId) { // We just care for resource domain admin for now. He should be permitted to see only his zone. - if (isResourceDomainAdmin(caller.getType())) { + if (isResourceDomainAdmin(caller.getAccountId())) { if (zoneId == null) return getZoneIdForAccount(caller); else if (zoneId.compareTo(getZoneIdForAccount(caller)) != 0) @@ -1661,7 +1684,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M return getAccount(project.getProjectAccountId()); } - if (isAdmin(caller.getType()) && accountName != null && domainId != null) { + if (isAdmin(caller.getId()) && accountName != null && domainId != null) { Domain domain = _domainMgr.getDomain(domainId); if (domain == null) { throw new InvalidParameterValueException("Unable to find the domain by id=" + domainId); @@ -1674,7 +1697,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M checkAccess(caller, domain); return owner; - } else if (!isAdmin(caller.getType()) && accountName != null && domainId != null) { + } else if (!isAdmin(caller.getId()) && accountName != null && domainId != null) { if (!accountName.equals(caller.getAccountName()) || domainId.longValue() != caller.getDomainId()) { throw new PermissionDeniedException("Can't create/list resources for account " + accountName + " in domain " + domainId + ", permission denied"); } else { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/src/com/cloud/vm/UserVmManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index 7a707ae..22f2798 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -2075,7 +2075,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir long vmId = cmd.getId(); boolean expunge = cmd.getExpunge(); - if (!_accountMgr.isAdmin(ctx.getCallingAccount().getType()) && expunge) { + if (!_accountMgr.isAdmin(ctx.getCallingAccount().getId()) && expunge) { throw new PermissionDeniedException("Parameter " + ApiConstants.EXPUNGE + " can be passed by Admin only"); } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/server/test/com/cloud/user/MockAccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index 5938b3c..e53974a 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -120,7 +120,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } @Override - public boolean isAdmin(short accountType) { + public boolean isAdmin(Long accountId) { // TODO Auto-generated method stub return false; } http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java index d0b9bc6..93940e8 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMGroupCmd.java @@ -97,7 +97,7 @@ public class CreateIAMGroupCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { http://git-wip-us.apache.org/repos/asf/cloudstack/blob/9514c9e0/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java ---------------------------------------------------------------------- diff --git a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java index be863de..7ebab67 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java +++ b/services/iam/plugin/src/org/apache/cloudstack/api/command/iam/CreateIAMPolicyCmd.java @@ -104,7 +104,7 @@ public class CreateIAMPolicyCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || _accountService.isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getId())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) {
