Fix the isRootAdmin and isDomainAdmin to return true or false even if the permission is denied by IAM

server/src/com/cloud/user/AccountManagerImpl.java

@@ -368,11 +368,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     public boolean isRootAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
         for (SecurityChecker checker : _securityCheckers) {
-            if (checker.checkAccess(acct, null, null, "SystemCapability")) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+            try {
+                if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                    }
+                    return true;
                 }
-                return true;
+            } catch (PermissionDeniedException ex) {
+                return false;
             }
         }
 
@@ -383,11 +387,15 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
     public boolean isDomainAdmin(long accountId) {
         AccountVO acct = _accountDao.findById(accountId);
         for (SecurityChecker checker : _securityCheckers) {
-            if (checker.checkAccess(acct, null, null, "DomainCapability")) {
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+            try {
+                if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                    }
+                    return true;
                 }
-                return true;
+            } catch (PermissionDeniedException ex) {
+                return false;
             }
         }
         return false;

services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedAPIAccessChecker.java

@@ -111,6 +111,15 @@ public class RoleBasedAPIAccessChecker extends AdapterBase implements APIChecker
             }
          }
 
+        // add the system-domain capability
+
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_ADMIN + 1), null, null, null,
+                "SystemCapability", null, Permission.Allow);
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_DOMAIN_ADMIN + 1), null, null, null,
+                "DomainCapability", null, Permission.Allow);
+        _iamSrv.addAclPermissionToAclPolicy(new Long(Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN + 1), null, null, null,
+                "DomainResourceCapability", null, Permission.Allow);
+
         for (PluggableService service : _services) {
             for (Class<?> cmdClass : service.getCommands()) {
                 APICommand command = cmdClass.getAnnotation(APICommand.class);

setup/db/db/schema-430to440.sql

@@ -538,7 +538,3 @@ INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values
 INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(4, 4, Now());
 INSERT INTO `cloud`.`acl_group_policy_map` (group_id, policy_id, created) values(5, 5, Now());
 
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (1, 2, 'SystemCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (2, 3, 'DomainCapability', 'Allow', Now());
-INSERT IGNORE INTO `cloud`.`acl_policy_permission` (id, policy_id, action, permission, created) VALUES (3, 4, 'DomainResourceCapability', 'Allow', Now());
-