Repository: cloudstack Updated Branches: refs/heads/4.4 1aff3a5f0 -> c4ab1d577
CLOUDSTACK-6558 IAM - Admin user is able to deploy VM in a regular user's Security Group. Changes: - Even for SecurityGroup, go through IAM to do permission checks for all type of accounts Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/33c3752d Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/33c3752d Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/33c3752d Branch: refs/heads/4.4 Commit: 33c3752d0e08d29962762872da845b66b0c04339 Parents: 1aff3a5 Author: Prachi Damle <pra...@cloud.com> Authored: Thu May 1 12:18:23 2014 -0700 Committer: Daan Hoogland <d...@onecht.net> Committed: Fri May 2 18:50:52 2014 +0200 ---------------------------------------------------------------------- .../com/cloud/network/security/SecurityGroupManagerImpl.java | 4 ++-- server/src/com/cloud/user/AccountManagerImpl.java | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/33c3752d/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java index b4c67b8..a666ecd 100755 --- a/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java +++ b/server/src/com/cloud/network/security/SecurityGroupManagerImpl.java @@ -612,7 +612,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro } // Verify permissions - _accountMgr.checkAccess(caller, null, securityGroup); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, securityGroup); Long domainId = owner.getDomainId(); if (protocol == null) { @@ -1120,7 +1120,7 @@ public class SecurityGroupManagerImpl extends ManagerBase implements SecurityGro } // check permissions - _accountMgr.checkAccess(caller, null, group); + _accountMgr.checkAccess(caller, AccessType.OperateEntry, group); return Transaction.execute(new TransactionCallbackWithException<Boolean, ResourceInUseException>() { @Override http://git-wip-us.apache.org/repos/asf/cloudstack/blob/33c3752d/server/src/com/cloud/user/AccountManagerImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index b5fdc3a..301dde4 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -102,6 +102,7 @@ import com.cloud.network.dao.NetworkVO; import com.cloud.network.dao.RemoteAccessVpnDao; import com.cloud.network.dao.RemoteAccessVpnVO; import com.cloud.network.dao.VpnUserDao; +import com.cloud.network.security.SecurityGroup; import com.cloud.network.security.SecurityGroupManager; import com.cloud.network.security.dao.SecurityGroupDao; import com.cloud.network.vpc.Vpc; @@ -497,7 +498,8 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M for (ControlledEntity entity : entities) { if (entity instanceof VirtualMachineTemplate || entity instanceof Network - || entity instanceof AffinityGroup) { + || entity instanceof AffinityGroup || entity instanceof SecurityGroup) { + // Go through IAM (SecurityCheckers) for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(caller, accessType, apiName, entity)) { if (s_logger.isDebugEnabled()) { @@ -540,6 +542,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } } else { + // Go through IAM (SecurityCheckers) for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(caller, accessType, apiName, entities)) { if (s_logger.isDebugEnabled()) {
