Repository: cloudstack Updated Branches: refs/heads/4.4-forward-iam-disabled 986d2ddc7 -> d5555aa88
Revert the @ACL annotation processing back to 4.3 logic Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/e30d9a99 Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/e30d9a99 Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/e30d9a99 Branch: refs/heads/4.4-forward-iam-disabled Commit: e30d9a99f7589817e07cee7d779c9991487022a8 Parents: 986d2dd Author: Prachi Damle <pra...@cloud.com> Authored: Thu May 15 15:33:37 2014 -0700 Committer: Prachi Damle <pra...@cloud.com> Committed: Thu May 15 15:33:37 2014 -0700 ---------------------------------------------------------------------- .../cloud/api/dispatch/ParamProcessWorker.java | 110 +++---------------- 1 file changed, 15 insertions(+), 95 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cloudstack/blob/e30d9a99/server/src/com/cloud/api/dispatch/ParamProcessWorker.java ---------------------------------------------------------------------- diff --git a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java index eb4c76b..f4e3cd4 100644 --- a/server/src/com/cloud/api/dispatch/ParamProcessWorker.java +++ b/server/src/com/cloud/api/dispatch/ParamProcessWorker.java @@ -35,10 +35,14 @@ import javax.inject.Inject; import org.apache.log4j.Logger; +import org.apache.cloudstack.acl.ControlledEntity; +import org.apache.cloudstack.acl.InfrastructureEntity; import org.apache.cloudstack.acl.SecurityChecker; import org.apache.cloudstack.acl.SecurityChecker.AccessType; import org.apache.cloudstack.api.ACL; +import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiErrorCode; +import org.apache.cloudstack.api.BaseAsyncCreateCmd; import org.apache.cloudstack.api.BaseCmd; import org.apache.cloudstack.api.BaseCmd.CommandType; import org.apache.cloudstack.api.EntityReference; @@ -53,6 +57,7 @@ import org.apache.cloudstack.api.command.user.event.ListEventsCmd; import org.apache.cloudstack.context.CallContext; import com.cloud.exception.InvalidParameterValueException; +import com.cloud.user.Account; import com.cloud.user.AccountManager; import com.cloud.utils.DateUtil; import com.cloud.utils.db.EntityManager; @@ -209,118 +214,33 @@ public class ParamProcessWorker implements DispatchWorker { } - // doAccessChecks(cmd, entitiesToAccess); + doAccessChecks(cmd, entitiesToAccess); } - /* IAM feature disabled. - * private void doAccessChecks(final BaseCmd cmd, final Map<Object, AccessType> entitiesToAccess) { + private void doAccessChecks(BaseCmd cmd, Map<Object, AccessType> entitiesToAccess) { Account caller = CallContext.current().getCallingAccount(); - Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); - if (owner == null) { - owner = caller; - } + Account owner = _accountMgr.getActiveAccountById(cmd.getEntityOwnerId()); if (cmd instanceof BaseAsyncCreateCmd) { - if (owner.getId() != caller.getId()) { - // mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters - // in this case, we should check access using the owner - _accountMgr.checkAccess(caller, null, true, owner); - } - } else { - // check access using the caller for other operational cmds - owner = caller; + // check that caller can access the owner account. + _accountMgr.checkAccess(caller, null, true, owner); } - APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class); - String apiName = commandAnnotation != null ? commandAnnotation.name() : null; - if (!entitiesToAccess.isEmpty()) { - List<ControlledEntity> entitiesToOperate = new ArrayList<ControlledEntity>(); - + // check that caller can access the owner account. + _accountMgr.checkAccess(caller, null, true, owner); for (Object entity : entitiesToAccess.keySet()) { if (entity instanceof ControlledEntity) { - - if (AccessType.OperateEntry == entitiesToAccess.get(entity)) { - entitiesToOperate.add((ControlledEntity) entity); - } else { - _accountMgr.checkAccess(owner, entitiesToAccess.get(entity), false, apiName, - (ControlledEntity) entity); - } + _accountMgr.checkAccess(caller, entitiesToAccess.get(entity), true, (ControlledEntity) entity); } else if (entity instanceof InfrastructureEntity) { - if (entity instanceof DataCenter) { - checkZoneAccess(owner, (DataCenter)entity); - } else if (entity instanceof ServiceOffering) { - checkServiceOfferingAccess(owner, (ServiceOffering)entity); - } else if (entity instanceof DiskOffering) { - checkDiskOfferingAccess(owner, (DiskOffering)entity); - } + // FIXME: Move this code in adapter, remove code from + // Account manager } } - - if (!entitiesToOperate.isEmpty()) { - _accountMgr.checkAccess(owner, AccessType.OperateEntry, false, apiName, - (ControlledEntity[]) entitiesToOperate.toArray()); - } - } } - private void checkDiskOfferingAccess(Account caller, DiskOffering dof) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, dof)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by " - + checker.getName()); - } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); - } - } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:" - + dof.getId()); - } - - private void checkServiceOfferingAccess(Account caller, ServiceOffering sof) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, sof)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to service offering:" + sof.getId() + " by " - + checker.getName()); - } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); - } - } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to service offering:" - + sof.getId()); - } - - private void checkZoneAccess(Account caller, DataCenter zone) { - for (SecurityChecker checker : _secChecker) { - if (checker.checkAccess(caller, zone)) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by " - + checker.getName()); - } - return; - } else { - throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName() - + " for zone " + zone.getId()); - } - } - - assert false : "How can all of the security checkers pass on checking this caller?"; - throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:" - + zone.getId()); - }*/ - @SuppressWarnings({"unchecked", "rawtypes"}) private void setFieldValue(final Field field, final BaseCmd cmdObj, final Object paramObj, final Parameter annotation) throws IllegalArgumentException, ParseException { try {
