apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactoring network ingress group command

Browse Source
This commit is contained in:
abhishek 2010-08-18 17:52:55 -07:00
parent d6f1f641b4
commit 3198abd8c1
6 changed files with 373 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/src/com/cloud/api/BaseAsyncCmd.java
View File

@ -1,6 +1,7 @@
package com.cloud.api; package com.cloud.api;
import com.cloud.serializer.SerializerHelper; import com.cloud.serializer.SerializerHelper;
import com.cloud.user.Account;
/** /**
* A base command for supporting asynchronous API calls. When an API command is received, the command will be * A base command for supporting asynchronous API calls. When an API command is received, the command will be

383
server/src/com/cloud/api/commands/RevokeNetworkGroupIngressCmd.java
View File

@ -1,44 +1,19 @@
package com.cloud.api.commands; package com.cloud.api.commands;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map; import java.util.Map;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import com.cloud.api.BaseCmd; import com.cloud.api.BaseAsyncCmd;
import com.cloud.api.Implementation;
import com.cloud.api.Parameter; import com.cloud.api.Parameter;
import com.cloud.api.ServerApiException; import com.cloud.api.BaseCmd.Manager;
import com.cloud.network.security.NetworkGroupVO;
import com.cloud.user.Account;
import com.cloud.utils.Pair;
import com.cloud.utils.net.NetUtils;
public class RevokeNetworkGroupIngressCmd extends BaseCmd { @Implementation(method="revokeNetworkGroupIngress", manager=Manager.NetworkGroupManager)
public class RevokeNetworkGroupIngressCmd extends BaseAsyncCmd {
public static final Logger s_logger = Logger.getLogger(RevokeNetworkGroupIngressCmd.class.getName()); public static final Logger s_logger = Logger.getLogger(RevokeNetworkGroupIngressCmd.class.getName());
private static final String s_name = "revokenetworkgroupingress"; private static final String s_name = "revokenetworkgroupingress";
private static final List<Pair<Enum, Boolean>> s_properties = new ArrayList<Pair<Enum, Boolean>>();
static {
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.USER_ID, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.ACCOUNT_OBJ, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.ACCOUNT, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.CIDR_LIST, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.DOMAIN_ID, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.END_PORT, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.ICMP_CODE, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.ICMP_TYPE, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.NETWORK_GROUP_NAME, Boolean.TRUE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.PROTOCOL, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.START_PORT, Boolean.FALSE));
s_properties.add(new Pair<Enum, Boolean>(BaseCmd.Properties.USER_NETWORK_GROUP_LIST, Boolean.FALSE));
}
///////////////////////////////////////////////////// /////////////////////////////////////////////////////
//////////////// API parameters ///////////////////// //////////////// API parameters /////////////////////
@ -130,180 +105,182 @@ public class RevokeNetworkGroupIngressCmd extends BaseCmd {
return "revokenetworkgroupingress"; return "revokenetworkgroupingress";
} }
public List<Pair<Enum, Boolean>> getProperties() { // @Override
return s_properties; // public List<Pair<String, Object>> execute(Map<String, Object> params) {
} // Account account = (Account)params.get(BaseCmd.Properties.ACCOUNT_OBJ.getName());
// String accountName = (String)params.get(BaseCmd.Properties.ACCOUNT.getName());
// Long domainId = (Long)params.get(BaseCmd.Properties.DOMAIN_ID.getName());
// Long userId = (Long)params.get(BaseCmd.Properties.USER_ID.getName());
// Integer startPort = (Integer)params.get(BaseCmd.Properties.START_PORT.getName());
// Integer endPort = (Integer)params.get(BaseCmd.Properties.END_PORT.getName());
// Integer icmpType = (Integer)params.get(BaseCmd.Properties.ICMP_TYPE.getName());
// Integer icmpCode = (Integer)params.get(BaseCmd.Properties.ICMP_CODE.getName());
// String protocol = (String)params.get(BaseCmd.Properties.PROTOCOL.getName());
// String networkGroup = (String)params.get(BaseCmd.Properties.NETWORK_GROUP_NAME.getName());
// String cidrList = (String)params.get(BaseCmd.Properties.CIDR_LIST.getName());
// Map groupList = (Map)params.get(BaseCmd.Properties.USER_NETWORK_GROUP_LIST.getName());
//
// Long accountId = null;
// Integer startPortOrType = null;
// Integer endPortOrCode = null;
// if (protocol == null) {
// protocol = "all";
// }
// //FIXME: for exceptions below, add new enums to BaseCmd.PARAM_ to reflect the error condition more precisely
// if (!NetUtils.isValidNetworkGroupProto(protocol)) {
// s_logger.debug("Invalid protocol specified " + protocol);
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid protocol " + protocol);
// }
// if ("icmp".equalsIgnoreCase(protocol) ) {
// if ((icmpType == null) || (icmpCode == null)) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid ICMP type/code specified, icmpType = " + icmpType + ", icmpCode = " + icmpCode);
// }
// if (icmpType == -1 && icmpCode != -1) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp type range" );
// }
// if (icmpCode > 255) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp code " );
// }
// startPortOrType = icmpType;
// endPortOrCode= icmpCode;
// } else if (protocol.equals("all")) {
// if ((startPort != null) || (endPort != null)) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify startPort or endPort without specifying protocol");
// }
// startPortOrType = 0;
// endPortOrCode = 0;
// } else {
// if ((startPort == null) || (endPort == null)) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range specified, startPort = " + startPort + ", endPort = " + endPort);
// }
// if (startPort == 0 && endPort == 0) {
// endPort = 65535;
// }
// if (startPort > endPort) {
// s_logger.debug("Invalid port range specified: " + startPort + ":" + endPort);
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
// }
// if (startPort > 65535 || endPort > 65535 || startPort < -1 || endPort < -1) {
// s_logger.debug("Invalid port numbers specified: " + startPort + ":" + endPort);
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port numbers " );
// }
//
// if (startPort < 0 || endPort < 0) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
// }
// startPortOrType = startPort;
// endPortOrCode= endPort;
// }
//
// if ((account == null) || isAdmin(account.getType())) {
// if ((accountName != null) && (domainId != null)) {
// // if it's an admin account, do a quick permission check
// if ((account != null) && !getManagementServer().isChildDomain(account.getDomainId(), domainId)) {
// if (s_logger.isDebugEnabled()) {
// s_logger.debug("Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
// }
// throw new ServerApiException(BaseCmd.ACCOUNT_ERROR, "Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
// }
// Account groupOwner = getManagementServer().findActiveAccount(accountName, domainId);
// if (groupOwner == null) {
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account " + accountName + " in domain " + domainId);
// }
// accountId = groupOwner.getId();
// } else {
// if (account != null) {
// accountId = account.getId();
// domainId = account.getDomainId();
// }
// }
// } else {
// if (account != null) {
// accountId = account.getId();
// domainId = account.getDomainId();
// }
// }
//
// if (accountId == null) {
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account for network security group " + networkGroup + "; failed to revoke ingress.");
// }
//
// NetworkGroupVO sg = getManagementServer().findNetworkGroupByName(accountId, networkGroup);
// if (sg == null) {
// s_logger.debug("Unable to find network security group with id " + networkGroup);
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find network security group with id " + networkGroup);
// }
//
// if (cidrList == null && groupList == null) {
// s_logger.debug("At least one cidr or at least one security group needs to be specified");
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "At least one cidr or at least one security group needs to be specified");
// }
// List<String> authorizedCidrs = new ArrayList<String>();
// if (cidrList != null) {
// if (protocol.equals("all")) {
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify cidrs without specifying protocol and ports.");
// }
// String [] cidrs = cidrList.split(",");
// for (String cidr: cidrs) {
// if (!NetUtils.isValidCIDR(cidr)) {
// s_logger.debug( "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
// }
// authorizedCidrs.add(cidr);
// }
// }
//
// List<NetworkGroupVO> authorizedGroups = new ArrayList<NetworkGroupVO> ();
// if (groupList != null) {
// Collection userGroupCollection = groupList.values();
// Iterator iter = userGroupCollection.iterator();
// while (iter.hasNext()) {
// HashMap userGroup = (HashMap)iter.next();
// String group = (String)userGroup.get("group");
// String authorizedAccountName = (String)userGroup.get("account");
// if ((group == null) || (authorizedAccountName == null)) {
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "Invalid user group specified, fields 'group' and 'account' cannot be null, please specify groups in the form: userGroupList[0].group=XXX&userGroupList[0].account=YYY");
// }
//
// Account authorizedAccount = getManagementServer().findActiveAccount(authorizedAccountName, domainId);
// if (authorizedAccount == null) {
// if (s_logger.isDebugEnabled()) {
// s_logger.debug("Nonexistent account: " + authorizedAccountName + ", domainid: " + domainId + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
// }
// throw new ServerApiException(BaseCmd.PARAM_ERROR, "Nonexistent account: " + authorizedAccountName + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
// }
//
// NetworkGroupVO groupVO = getManagementServer().findNetworkGroupByName(authorizedAccount.getId(), group);
// if (groupVO == null) {
// if (s_logger.isDebugEnabled()) {
// s_logger.debug("Nonexistent group and/or accountId: " + accountId + ", groupName=" + group);
// }
// throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid account/group pair (" + userGroup + ") given, unable to revoke ingress.");
// }
// authorizedGroups.add(groupVO);
// }
// }
//
// // If command is executed via 8096 port, set userId to the id of System account (1)
// if (userId == null) {
// userId = Long.valueOf(1);
// }
//
// long jobId = getManagementServer().revokeNetworkGroupIngressAsync(accountId, networkGroup, protocol, startPortOrType, endPortOrCode, authorizedCidrs.toArray(new String[authorizedCidrs.size()]), authorizedGroups);
//
// if (jobId == 0) {
// s_logger.warn("Unable to schedule async-job for RevokeNetworkGroupIngressCmd command");
// } else {
// if (s_logger.isDebugEnabled())
// s_logger.debug("RevokeNetworkGroupIngressCmd command has been accepted, job id: " + jobId);
// }
//
// List<Pair<String, Object>> returnValues = new ArrayList<Pair<String, Object>>();
// returnValues.add(new Pair<String, Object>(BaseCmd.Properties.JOB_ID.getName(), Long.valueOf(jobId)));
// return returnValues;
// }
@Override @Override
public List<Pair<String, Object>> execute(Map<String, Object> params) { public String getResponse() {
Account account = (Account)params.get(BaseCmd.Properties.ACCOUNT_OBJ.getName()); // TODO Fix response
String accountName = (String)params.get(BaseCmd.Properties.ACCOUNT.getName()); return null;
Long domainId = (Long)params.get(BaseCmd.Properties.DOMAIN_ID.getName());
Long userId = (Long)params.get(BaseCmd.Properties.USER_ID.getName());
Integer startPort = (Integer)params.get(BaseCmd.Properties.START_PORT.getName());
Integer endPort = (Integer)params.get(BaseCmd.Properties.END_PORT.getName());
Integer icmpType = (Integer)params.get(BaseCmd.Properties.ICMP_TYPE.getName());
Integer icmpCode = (Integer)params.get(BaseCmd.Properties.ICMP_CODE.getName());
String protocol = (String)params.get(BaseCmd.Properties.PROTOCOL.getName());
String networkGroup = (String)params.get(BaseCmd.Properties.NETWORK_GROUP_NAME.getName());
String cidrList = (String)params.get(BaseCmd.Properties.CIDR_LIST.getName());
Map groupList = (Map)params.get(BaseCmd.Properties.USER_NETWORK_GROUP_LIST.getName());
Long accountId = null;
Integer startPortOrType = null;
Integer endPortOrCode = null;
if (protocol == null) {
protocol = "all";
}
//FIXME: for exceptions below, add new enums to BaseCmd.PARAM_ to reflect the error condition more precisely
if (!NetUtils.isValidNetworkGroupProto(protocol)) {
s_logger.debug("Invalid protocol specified " + protocol);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid protocol " + protocol);
}
if ("icmp".equalsIgnoreCase(protocol) ) {
if ((icmpType == null) || (icmpCode == null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid ICMP type/code specified, icmpType = " + icmpType + ", icmpCode = " + icmpCode);
}
if (icmpType == -1 && icmpCode != -1) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp type range" );
}
if (icmpCode > 255) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp code " );
}
startPortOrType = icmpType;
endPortOrCode= icmpCode;
} else if (protocol.equals("all")) {
if ((startPort != null) || (endPort != null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify startPort or endPort without specifying protocol");
}
startPortOrType = 0;
endPortOrCode = 0;
} else {
if ((startPort == null) || (endPort == null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range specified, startPort = " + startPort + ", endPort = " + endPort);
}
if (startPort == 0 && endPort == 0) {
endPort = 65535;
}
if (startPort > endPort) {
s_logger.debug("Invalid port range specified: " + startPort + ":" + endPort);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
}
if (startPort > 65535 || endPort > 65535 || startPort < -1 || endPort < -1) {
s_logger.debug("Invalid port numbers specified: " + startPort + ":" + endPort);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port numbers " );
}
if (startPort < 0 || endPort < 0) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
}
startPortOrType = startPort;
endPortOrCode= endPort;
}
if ((account == null) || isAdmin(account.getType())) {
if ((accountName != null) && (domainId != null)) {
// if it's an admin account, do a quick permission check
if ((account != null) && !getManagementServer().isChildDomain(account.getDomainId(), domainId)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
}
throw new ServerApiException(BaseCmd.ACCOUNT_ERROR, "Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
}
Account groupOwner = getManagementServer().findActiveAccount(accountName, domainId);
if (groupOwner == null) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account " + accountName + " in domain " + domainId);
}
accountId = groupOwner.getId();
} else {
if (account != null) {
accountId = account.getId();
domainId = account.getDomainId();
}
}
} else {
if (account != null) {
accountId = account.getId();
domainId = account.getDomainId();
}
}
if (accountId == null) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account for network security group " + networkGroup + "; failed to revoke ingress.");
}
NetworkGroupVO sg = getManagementServer().findNetworkGroupByName(accountId, networkGroup);
if (sg == null) {
s_logger.debug("Unable to find network security group with id " + networkGroup);
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find network security group with id " + networkGroup);
}
if (cidrList == null && groupList == null) {
s_logger.debug("At least one cidr or at least one security group needs to be specified");
throw new ServerApiException(BaseCmd.PARAM_ERROR, "At least one cidr or at least one security group needs to be specified");
}
List<String> authorizedCidrs = new ArrayList<String>();
if (cidrList != null) {
if (protocol.equals("all")) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify cidrs without specifying protocol and ports.");
}
String [] cidrs = cidrList.split(",");
for (String cidr: cidrs) {
if (!NetUtils.isValidCIDR(cidr)) {
s_logger.debug( "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
}
authorizedCidrs.add(cidr);
}
}
List<NetworkGroupVO> authorizedGroups = new ArrayList<NetworkGroupVO> ();
if (groupList != null) {
Collection userGroupCollection = groupList.values();
Iterator iter = userGroupCollection.iterator();
while (iter.hasNext()) {
HashMap userGroup = (HashMap)iter.next();
String group = (String)userGroup.get("group");
String authorizedAccountName = (String)userGroup.get("account");
if ((group == null) || (authorizedAccountName == null)) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Invalid user group specified, fields 'group' and 'account' cannot be null, please specify groups in the form: userGroupList[0].group=XXX&userGroupList[0].account=YYY");
}
Account authorizedAccount = getManagementServer().findActiveAccount(authorizedAccountName, domainId);
if (authorizedAccount == null) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Nonexistent account: " + authorizedAccountName + ", domainid: " + domainId + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
}
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Nonexistent account: " + authorizedAccountName + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
}
NetworkGroupVO groupVO = getManagementServer().findNetworkGroupByName(authorizedAccount.getId(), group);
if (groupVO == null) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Nonexistent group and/or accountId: " + accountId + ", groupName=" + group);
}
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid account/group pair (" + userGroup + ") given, unable to revoke ingress.");
}
authorizedGroups.add(groupVO);
}
}
// If command is executed via 8096 port, set userId to the id of System account (1)
if (userId == null) {
userId = Long.valueOf(1);
}
long jobId = getManagementServer().revokeNetworkGroupIngressAsync(accountId, networkGroup, protocol, startPortOrType, endPortOrCode, authorizedCidrs.toArray(new String[authorizedCidrs.size()]), authorizedGroups);
if (jobId == 0) {
s_logger.warn("Unable to schedule async-job for RevokeNetworkGroupIngressCmd command");
} else {
if (s_logger.isDebugEnabled())
s_logger.debug("RevokeNetworkGroupIngressCmd command has been accepted, job id: " + jobId);
}
List<Pair<String, Object>> returnValues = new ArrayList<Pair<String, Object>>();
returnValues.add(new Pair<String, Object>(BaseCmd.Properties.JOB_ID.getName(), Long.valueOf(jobId)));
return returnValues;
} }
} }

5
server/src/com/cloud/network/security/NetworkGroupManager.java
View File

@ -21,6 +21,7 @@ import java.util.HashMap;
import java.util.List; import java.util.List;
import com.cloud.api.commands.CreateNetworkGroupCmd; import com.cloud.api.commands.CreateNetworkGroupCmd;
import com.cloud.api.commands.RevokeNetworkGroupIngressCmd;
import com.cloud.exception.InvalidParameterValueException; import com.cloud.exception.InvalidParameterValueException;
import com.cloud.exception.PermissionDeniedException; import com.cloud.exception.PermissionDeniedException;
import com.cloud.exception.ResourceInUseException; import com.cloud.exception.ResourceInUseException;
@ -61,9 +62,7 @@ public interface NetworkGroupManager extends Manager {
public void removeInstanceFromGroups(Long userVmId); public void removeInstanceFromGroups(Long userVmId);
boolean revokeNetworkGroupIngress(AccountVO account, String groupName, boolean revokeNetworkGroupIngress(RevokeNetworkGroupIngressCmd cmd);
String proto, int startPort, int endPort, String[] cidrList,
List<NetworkGroupVO> authorizedGroups);
public void deleteNetworkGroup(Long groupId, Long accountId) throws ResourceInUseException, PermissionDeniedException; public void deleteNetworkGroup(Long groupId, Long accountId) throws ResourceInUseException, PermissionDeniedException;

202
server/src/com/cloud/network/security/NetworkGroupManagerImpl.java
View File

@ -18,10 +18,12 @@
package com.cloud.network.security; package com.cloud.network.security;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator; import java.util.Comparator;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -41,7 +43,10 @@ import com.cloud.agent.api.Command;
import com.cloud.agent.api.NetworkIngressRulesCmd; import com.cloud.agent.api.NetworkIngressRulesCmd;
import com.cloud.agent.api.NetworkIngressRulesCmd.IpPortAndProto; import com.cloud.agent.api.NetworkIngressRulesCmd.IpPortAndProto;
import com.cloud.agent.manager.AgentManager; import com.cloud.agent.manager.AgentManager;
import com.cloud.api.BaseCmd;
import com.cloud.api.ServerApiException;
import com.cloud.api.commands.CreateNetworkGroupCmd; import com.cloud.api.commands.CreateNetworkGroupCmd;
import com.cloud.api.commands.RevokeNetworkGroupIngressCmd;
import com.cloud.configuration.dao.ConfigurationDao; import com.cloud.configuration.dao.ConfigurationDao;
import com.cloud.domain.DomainVO; import com.cloud.domain.DomainVO;
import com.cloud.domain.dao.DomainDao; import com.cloud.domain.dao.DomainDao;
@ -73,6 +78,7 @@ import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria; import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.db.Transaction; import com.cloud.utils.db.Transaction;
import com.cloud.utils.exception.CloudRuntimeException; import com.cloud.utils.exception.CloudRuntimeException;
import com.cloud.utils.net.NetUtils;
import com.cloud.vm.State; import com.cloud.vm.State;
import com.cloud.vm.dao.UserVmDao; import com.cloud.vm.dao.UserVmDao;
@ -90,7 +96,6 @@ public class NetworkGroupManagerImpl implements NetworkGroupManager {
@Inject NetworkGroupWorkDao _workDao; @Inject NetworkGroupWorkDao _workDao;
@Inject VmRulesetLogDao _rulesetLogDao; @Inject VmRulesetLogDao _rulesetLogDao;
@Inject DomainDao _domainDao; @Inject DomainDao _domainDao;
@Inject AgentManager _agentMgr; @Inject AgentManager _agentMgr;
ScheduledExecutorService _executorPool; ScheduledExecutorService _executorPool;
ScheduledExecutorService _cleanupExecutor; ScheduledExecutorService _cleanupExecutor;
@ -492,40 +497,195 @@ public class NetworkGroupManagerImpl implements NetworkGroupManager {
@Override @Override
@DB @DB
public boolean revokeNetworkGroupIngress(AccountVO account, public boolean revokeNetworkGroupIngress(RevokeNetworkGroupIngressCmd cmd) {
String groupName, String protocol, int startPort,
int endPort, String[] cidrList, List<NetworkGroupVO> authorizedGroups) { //input validation
Account account = (Account)UserContext.current().getAccountObject();
Long userId = UserContext.current().getUserId();
Long domainId = cmd.getDomainId();
Integer startPort = cmd.getStartPort();
Integer endPort = cmd.getEndPort();
Integer icmpType = cmd.getIcmpType();
Integer icmpCode = cmd.getIcmpCode();
String protocol = cmd.getProtocol();
String networkGroup = cmd.getNetworkGroupName();
String cidrList = cmd.getCidrList();
Map groupList = cmd.getUserNetworkGroupList();
String [] cidrs = null;
Long accountId = null;
Integer startPortOrType = null;
Integer endPortOrCode = null;
if (protocol == null) {
protocol = "all";
}
//FIXME: for exceptions below, add new enums to BaseCmd.PARAM_ to reflect the error condition more precisely
if (!NetUtils.isValidNetworkGroupProto(protocol)) {
s_logger.debug("Invalid protocol specified " + protocol);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid protocol " + protocol);
}
if ("icmp".equalsIgnoreCase(protocol) ) {
if ((icmpType == null) || (icmpCode == null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid ICMP type/code specified, icmpType = " + icmpType + ", icmpCode = " + icmpCode);
}
if (icmpType == -1 && icmpCode != -1) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp type range" );
}
if (icmpCode > 255) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid icmp code " );
}
startPortOrType = icmpType;
endPortOrCode= icmpCode;
} else if (protocol.equals("all")) {
if ((startPort != null) || (endPort != null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify startPort or endPort without specifying protocol");
}
startPortOrType = 0;
endPortOrCode = 0;
} else {
if ((startPort == null) || (endPort == null)) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range specified, startPort = " + startPort + ", endPort = " + endPort);
}
if (startPort == 0 && endPort == 0) {
endPort = 65535;
}
if (startPort > endPort) {
s_logger.debug("Invalid port range specified: " + startPort + ":" + endPort);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
}
if (startPort > 65535 || endPort > 65535 || startPort < -1 || endPort < -1) {
s_logger.debug("Invalid port numbers specified: " + startPort + ":" + endPort);
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port numbers " );
}
if (startPort < 0 || endPort < 0) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid port range " );
}
startPortOrType = startPort;
endPortOrCode= endPort;
}
if ((account == null) || isAdmin(account.getType())) {
if ((account.getAccountName() != null) && (domainId != null)) {
// if it's an admin account, do a quick permission check
if ((account != null) && !_domainDao.isChildDomain(account.getDomainId(), domainId)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
}
throw new ServerApiException(BaseCmd.ACCOUNT_ERROR, "Unable to find rules for network security group id = " + networkGroup + ", permission denied.");
}
Account groupOwner = _accountDao.findActiveAccount(account.getAccountName(), domainId);
if (groupOwner == null) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account " + account.getAccountName() + " in domain " + domainId);
}
accountId = groupOwner.getId();
} else {
if (account != null) {
accountId = account.getId();
domainId = account.getDomainId();
}
}
} else {
if (account != null) {
accountId = account.getId();
domainId = account.getDomainId();
}
}
if (accountId == null) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find account for network security group " + networkGroup + "; failed to revoke ingress.");
}
NetworkGroupVO sg = _networkGroupDao.findByAccountAndName(accountId, networkGroup);
if (sg == null) {
s_logger.debug("Unable to find network security group with id " + networkGroup);
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Unable to find network security group with id " + networkGroup);
}
if (cidrList == null && groupList == null) {
s_logger.debug("At least one cidr or at least one security group needs to be specified");
throw new ServerApiException(BaseCmd.PARAM_ERROR, "At least one cidr or at least one security group needs to be specified");
}
List<String> authorizedCidrs = new ArrayList<String>();
if (cidrList != null) {
if (protocol.equals("all")) {
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Cannot specify cidrs without specifying protocol and ports.");
}
cidrs = cidrList.split(",");
for (String cidr: cidrs) {
if (!NetUtils.isValidCIDR(cidr)) {
s_logger.debug( "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid cidr (" + cidr + ") given, unable to revoke ingress.");
}
authorizedCidrs.add(cidr);
}
}
List<NetworkGroupVO> authorizedGroups = new ArrayList<NetworkGroupVO> ();
if (groupList != null) {
Collection userGroupCollection = groupList.values();
Iterator iter = userGroupCollection.iterator();
while (iter.hasNext()) {
HashMap userGroup = (HashMap)iter.next();
String group = (String)userGroup.get("group");
String authorizedAccountName = (String)userGroup.get("account");
if ((group == null) || (authorizedAccountName == null)) {
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Invalid user group specified, fields 'group' and 'account' cannot be null, please specify groups in the form: userGroupList[0].group=XXX&userGroupList[0].account=YYY");
}
Account authorizedAccount = _accountDao.findActiveAccount(authorizedAccountName, domainId);
if (authorizedAccount == null) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Nonexistent account: " + authorizedAccountName + ", domainid: " + domainId + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
}
throw new ServerApiException(BaseCmd.PARAM_ERROR, "Nonexistent account: " + authorizedAccountName + " when trying to revoke ingress for " + networkGroup + ":" + protocol + ":" + startPortOrType + ":" + endPortOrCode);
}
NetworkGroupVO groupVO = _networkGroupDao.findByAccountAndName(authorizedAccount.getId(), group);
if (groupVO == null) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Nonexistent group and/or accountId: " + accountId + ", groupName=" + group);
}
throw new ServerApiException(BaseCmd.NET_INVALID_PARAM_ERROR, "Invalid account/group pair (" + userGroup + ") given, unable to revoke ingress.");
}
authorizedGroups.add(groupVO);
}
}
// If command is executed via 8096 port, set userId to the id of System account (1)
if (userId == null) {
userId = Long.valueOf(1);
}
if (!_enabled) { if (!_enabled) {
return false; return false;
} }
int numDeleted = 0; int numDeleted = 0;
final int numToDelete = cidrList.length + authorizedGroups.size(); final int numToDelete = cidrList.length() + authorizedGroups.size();
final Transaction txn = Transaction.currentTxn(); final Transaction txn = Transaction.currentTxn();
final Long accountId = account.getId();
NetworkGroupVO networkGroup = _networkGroupDao.findByAccountAndName(accountId, groupName); NetworkGroupVO networkGroupHandle = _networkGroupDao.findByAccountAndName(accountId, networkGroup);
if (networkGroup == null) { if (networkGroupHandle == null) {
s_logger.warn("Network security group not found: name= " + groupName); s_logger.warn("Network security group not found: name= " + networkGroup);
return false; return false;
} }
try { try {
txn.start(); txn.start();
networkGroup = _networkGroupDao.acquire(networkGroup.getId()); networkGroupHandle = _networkGroupDao.acquire(networkGroupHandle.getId());
if (networkGroup == null) { if (networkGroupHandle == null) {
s_logger.warn("Could not acquire lock on network security group: name= " + groupName); s_logger.warn("Could not acquire lock on network security group: name= " + networkGroup);
return false; return false;
} }
for (final NetworkGroupVO ngVO: authorizedGroups) { for (final NetworkGroupVO ngVO: authorizedGroups) {
numDeleted += _ingressRuleDao.deleteByPortProtoAndGroup(networkGroup.getId(), protocol, startPort, endPort, ngVO.getId()); numDeleted += _ingressRuleDao.deleteByPortProtoAndGroup(networkGroupHandle.getId(), protocol, startPort, endPort, ngVO.getId());
} }
for (final String cidr: cidrList) { for (final String cidr: cidrs) {
numDeleted += _ingressRuleDao.deleteByPortProtoAndCidr(networkGroup.getId(), protocol, startPort, endPort, cidr); numDeleted += _ingressRuleDao.deleteByPortProtoAndCidr(networkGroupHandle.getId(), protocol, startPort, endPort, cidr);
} }
s_logger.debug("revokeNetworkGroupIngress for group: " + groupName + ", numToDelete=" + numToDelete + ", numDeleted=" + numDeleted); s_logger.debug("revokeNetworkGroupIngress for group: " + networkGroup + ", numToDelete=" + numToDelete + ", numDeleted=" + numDeleted);
final Set<Long> affectedVms = new HashSet<Long>(); final Set<Long> affectedVms = new HashSet<Long>();
affectedVms.addAll(_networkGroupVMMapDao.listVmIdsByNetworkGroup(networkGroup.getId())); affectedVms.addAll(_networkGroupVMMapDao.listVmIdsByNetworkGroup(networkGroupHandle.getId()));
scheduleRulesetUpdateToHosts(affectedVms, true, null); scheduleRulesetUpdateToHosts(affectedVms, true, null);
return true; return true;
@ -534,13 +694,19 @@ public class NetworkGroupManagerImpl implements NetworkGroupManager {
throw new CloudRuntimeException("Exception caught when deleting ingress rules", e); throw new CloudRuntimeException("Exception caught when deleting ingress rules", e);
} finally { } finally {
if (networkGroup != null) { if (networkGroup != null) {
_networkGroupDao.release(networkGroup.getId()); _networkGroupDao.release(networkGroupHandle.getId());
} }
txn.commit(); txn.commit();
} }
} }
private static boolean isAdmin(short accountType) {
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
}
@Override @Override
public NetworkGroupVO createNetworkGroup(CreateNetworkGroupCmd cmd) throws PermissionDeniedException, InvalidParameterValueException { public NetworkGroupVO createNetworkGroup(CreateNetworkGroupCmd cmd) throws PermissionDeniedException, InvalidParameterValueException {
if (!_enabled) { if (!_enabled) {

2
server/src/com/cloud/server/ManagementServer.java
View File

@ -2046,7 +2046,7 @@ public interface ManagementServer {
* @return the job id if scheduled, 0 if the job was not scheduled * @return the job id if scheduled, 0 if the job was not scheduled
*/ */
long revokeNetworkGroupIngressAsync(Long accountId, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups); long revokeNetworkGroupIngressAsync(Long accountId, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups);
boolean revokeNetworkGroupIngress(AccountVO account, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups); // boolean revokeNetworkGroupIngress(AccountVO account, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups);
/** /**
* Delete an empty network group. If the group is not empty an error is returned. * Delete an empty network group. If the group is not empty an error is returned.

8
server/src/com/cloud/server/ManagementServerImpl.java
View File

@ -8111,10 +8111,10 @@ public class ManagementServerImpl implements ManagementServer {
return _asyncMgr.submitAsyncJob(job); return _asyncMgr.submitAsyncJob(job);
} }
@Override // @Override
public boolean revokeNetworkGroupIngress(AccountVO account, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups) { // public boolean revokeNetworkGroupIngress(AccountVO account, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups) {
return _networkGroupMgr.revokeNetworkGroupIngress(account, groupName, protocol, startPort, endPort, cidrList, authorizedGroups); // return _networkGroupMgr.revokeNetworkGroupIngress(account, groupName, protocol, startPort, endPort, cidrList, authorizedGroups);
} // }
@Override @Override
public long revokeNetworkGroupIngressAsync(Long accountId, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups) { public long revokeNetworkGroupIngressAsync(Long accountId, String groupName, String protocol, int startPort, int endPort, String [] cidrList, List<NetworkGroupVO> authorizedGroups) {