Repository: cloudstack Updated Branches: refs/heads/4.4-forward 8ffb2c114 -> eb28f77d1
CLOUDSTACK-6581: IAM - Shared Network -Root Admin user is allowed to deploy VM in a shared network that is scoped for a specific domain/account. Changes: - Strict access check in NetworkModel is needed as CS 4.3 - We cannot go through accountMgr since accountMgr is relaxed for rootAdmin Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/eb28f77d Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/eb28f77d Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/eb28f77d Branch: refs/heads/4.4-forward Commit: eb28f77d1a07e902577a38194196b463ba5aef42 Parents: 8ffb2c1 Author: Prachi Damle <pra...@cloud.com> Authored: Tue May 6 15:58:05 2014 -0700 Committer: Prachi Damle <pra...@cloud.com> Committed: Tue May 6 17:21:05 2014 -0700 ---------------------------------------------------------------------- .../spring-server-core-managers-context.xml | 1 + .../src/com/cloud/network/NetworkModelImpl.java | 21 +++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/eb28f77d/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml ---------------------------------------------------------------------- diff --git a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml index fc1c7e2..09abcb7 100644 --- a/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml +++ b/server/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml @@ -74,6 +74,7 @@ <bean id="networkModelImpl" class="com.cloud.network.NetworkModelImpl"> <property name="networkElements" value="#{networkElementsRegistry.registered}" /> + <property name="securityCheckers" value="#{securityCheckersRegistry.registered}" /> </bean> <bean id="configurationServerImpl" class="com.cloud.server.ConfigurationServerImpl" /> http://git-wip-us.apache.org/repos/asf/cloudstack/blob/eb28f77d/server/src/com/cloud/network/NetworkModelImpl.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/network/NetworkModelImpl.java b/server/src/com/cloud/network/NetworkModelImpl.java index 4267967..f84eccd 100755 --- a/server/src/com/cloud/network/NetworkModelImpl.java +++ b/server/src/com/cloud/network/NetworkModelImpl.java @@ -34,6 +34,7 @@ import javax.naming.ConfigurationException; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.ControlledEntity.ACLType; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.framework.config.dao.ConfigurationDao; @@ -219,6 +220,16 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { static HashMap<Service, List<Provider>> s_serviceToImplementedProvidersMap = new HashMap<Service, List<Provider>>(); static HashMap<String, String> s_providerToNetworkElementMap = new HashMap<String, String>(); + List<SecurityChecker> _securityCheckers; + + public List<SecurityChecker> getSecurityCheckers() { + return _securityCheckers; + } + + public void setSecurityCheckers(List<SecurityChecker> securityCheckers) { + _securityCheckers = securityCheckers; + } + /** * */ @@ -1586,7 +1597,15 @@ public class NetworkModelImpl extends ManagerBase implements NetworkModel { + ", permission denied"); } } else { - _accountMgr.checkAccess(owner, accessType, network); + // Go through IAM (SecurityCheckers) + for (SecurityChecker checker : _securityCheckers) { + if (checker.checkAccess(owner, accessType, null, network)) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Access to " + network + " granted to " + owner + " by " + checker.getName()); + } + break; + } + } } }
