Repository: cloudstack Updated Branches: refs/heads/4.4 c4ab1d577 -> 96cd858d9
CLOUDSTACK-6535: IAM:MS:API createVMSnapshot doesn't preserve access rights. Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/4ebde835 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/4ebde835 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/4ebde835 Branch: refs/heads/4.4 Commit: 4ebde8351924ec14bab8fb9dae59c238ebbcd440 Parents: c4ab1d5 Author: Min Chen <min.c...@citrix.com> Authored: Thu May 1 12:12:52 2014 -0700 Committer: Daan Hoogland <d...@onecht.net> Committed: Fri May 2 18:52:51 2014 +0200 ---------------------------------------------------------------------- .../api/command/admin/vm/AddNicToVMCmdByAdmin.java | 3 ++- .../command/admin/volume/CreateVolumeCmdByAdmin.java | 5 ++++- .../api/command/user/volume/CreateVolumeCmd.java | 7 +++++-- .../src/com/cloud/api/dispatch/ParamProcessWorker.java | 12 ++++++++++++ 4 files changed, 23 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java index ee6d0e7..3dd22c1 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java @@ -31,8 +31,9 @@ import org.apache.cloudstack.api.response.UserVmResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.uservm.UserVm; +import com.cloud.vm.VirtualMachine; -@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, +@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = true) public class AddNicToVMCmdByAdmin extends AddNicToVMCmd { public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java index 5df7481..8ff3993 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java +++ b/api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java @@ -28,8 +28,11 @@ import org.apache.cloudstack.context.CallContext; import com.cloud.storage.Snapshot; import com.cloud.storage.Volume; +import com.cloud.vm.VirtualMachine; -@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full) +@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full, entityType = { + Volume.class, VirtualMachine.class}, + requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class CreateVolumeCmdByAdmin extends CreateVolumeCmd { public static final Logger s_logger = Logger.getLogger(CreateVolumeCmdByAdmin.class.getName()); http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java ---------------------------------------------------------------------- diff --git a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java index 0fa540c..90c1a16 100644 --- a/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java @@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume; import org.apache.log4j.Logger; import org.apache.cloudstack.acl.RoleType; +import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; @@ -42,8 +43,10 @@ import com.cloud.event.EventTypes; import com.cloud.exception.ResourceAllocationException; import com.cloud.storage.Snapshot; import com.cloud.storage.Volume; +import com.cloud.vm.VirtualMachine; -@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {Volume.class}, +@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = { + Volume.class, VirtualMachine.class}, requestHasSensitiveInfo = false, responseHasSensitiveInfo = false) public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { public static final Logger s_logger = Logger.getLogger(CreateVolumeCmd.class.getName()); @@ -103,7 +106,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd { @Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin}) private Boolean displayVolume; - @ACL + @ACL(accessType = AccessType.OperateEntry) @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID, type = CommandType.UUID, entityType = UserVmResponse.class, http://git-wip-us.apache.org/repos/asf/cloudstack/blob/4ebde835/server/src/com/cloud/api/dispatch/ParamProcessWorker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java index 2fd7721..d862660 100644 --- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java +++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java @@ -42,6 +42,7 @@ import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; +import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.BaseCmd; import org.apache.cloudstack.api.BaseCmd.CommandType; import org.apache.cloudstack.api.EntityReference; @@ -227,6 +228,17 @@ public class ParamProcessWorker implements DispatchWorker { owner = caller; } + if (cmd instanceof BaseAsyncCreateCmd) { + if (owner.getId() != caller.getId()) { + // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters + // in this case, we should check access using the owner + _accountMgr.checkAccess(caller, null, owner); + } + } else { + // check access using the caller for other operational cmds + owner = caller; + } + APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class); String apiName = commandAnnotation != null ? commandAnnotation.name() : null;
