CLOUDSTACK-2365: Anti-Affinity - As admin , we are allowed to deploy a Vm in an affinity group that belongs to different user.

CLOUDSTACK-2349: Anti-Affinity - As admin user , using updateVMAffinityGroup() , we are allowed to update the affinity group of a Vm (that belongs to a regular user) to be set to admin's affinity group. Changes: - Even for root-admin make sure that the affinity group and the VM belong to same account
2025-10-26 08:42:29 +01:00 · 2013-05-17 15:32:21 -07:00 · 2013-05-17 15:32:21 -07:00 · 1851f7f7f6
commit 1851f7f7f6
parent 7cae8ca231
2 changed files with 17 additions and 0 deletions
--- a/server/src/com/cloud/vm/UserVmManagerImpl.java
+++ b/server/src/com/cloud/vm/UserVmManagerImpl.java
@ -2366,6 +2366,14 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Use
                } else {
                    // verify permissions
                    _accountMgr.checkAccess(caller, null, true, owner, ag);
+                    // Root admin has access to both VM and AG by default, but
+                    // make sure the owner of these entities is same
+                    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+                        if (ag.getAccountId() != owner.getAccountId()) {
+                            throw new PermissionDeniedException("Affinity Group " + ag
+                                    + " does not belong to the VM's account");
+                        }
+                    }
                }
            }
        }
--- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
+++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java
@ -36,6 +36,7 @@ import com.cloud.deploy.DeploymentPlanner;
 import com.cloud.event.ActionEvent;
 import com.cloud.event.EventTypes;
 import com.cloud.exception.InvalidParameterValueException;
+import com.cloud.exception.PermissionDeniedException;
 import com.cloud.exception.ResourceInUseException;
 import com.cloud.network.security.SecurityGroup;
 import com.cloud.user.Account;
@ -332,6 +333,14 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
            } else {
                // verify permissions
                _accountMgr.checkAccess(caller, null, true, owner, ag);
+                // Root admin has access to both VM and AG by default, but make sure the
+                // owner of these entities is same
+                if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
+                    if (ag.getAccountId() != owner.getAccountId()) {
+                        throw new PermissionDeniedException("Affinity Group " + ag
+                                + " does not belong to the VM's account");
+                    }
+                }
            }
        }
        _affinityGroupVMMapDao.updateMap(vmId, affinityGroupIds);