apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-04 20:29:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

1) Resource limits for Projects

Browse Source 
2) Security checker for Projects
This commit is contained in:
alena 2011-09-22 18:09:43 -07:00
parent ae2c5d9a6e
commit 5c35b7f164
22 changed files with 291 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/src/com/cloud/acl/SecurityChecker.java
View File

@ -43,12 +43,12 @@ public interface SecurityChecker extends Adapter {
/**
* Checks if the account owns the object.
*
* @param account account to check against.
* @param caller account to check against.
* @param object object that the account is trying to access.
* @return true if access allowed. false if this adapter cannot authenticate ownership.
* @throws PermissionDeniedException if this adapter is suppose to authenticate ownership and the check failed.
*/
boolean checkAccess(Account account, Domain domain) throws PermissionDeniedException;
boolean checkAccess(Account caller, Domain domain) throws PermissionDeniedException;
/**
* Checks if the user belongs to an account that owns the object.

1
api/src/com/cloud/api/ApiConstants.java
View File

@ -261,5 +261,6 @@ public class ApiConstants {
public static final String HYPERVISOR_VERSION = "hypervisorversion";
public static final String MAX_GUESTS_LIMIT = "maxguestslimit";
public static final String PROJECT_ID = "projectid";
public static final String PROJECT = "project";
}

29
api/src/com/cloud/api/BaseCmd.java
View File

@ -44,6 +44,7 @@ import com.cloud.network.lb.LoadBalancingRulesService;
import com.cloud.network.rules.RulesService;
import com.cloud.network.security.SecurityGroupService;
import com.cloud.network.vpn.RemoteAccessVpnService;
import com.cloud.projects.Project;
import com.cloud.projects.ProjectService;
import com.cloud.resource.ResourceService;
import com.cloud.server.ManagementService;
@ -573,5 +574,33 @@ public abstract class BaseCmd {
public Map<String, String> getFullUrlParams() {
return this.fullUrlParams;
}
public Long getAccountId(String accountName, String projectName, Long domainId) {
if (accountName != null) {
if (domainId == null) {
throw new InvalidParameterValueException("Account must be specified with domainId parameter");
}
Account account = _accountService.getActiveAccountByName(accountName, domainId);
if (account != null) {
return account.getId();
} else {
throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain id=" + domainId);
}
}
if (projectName != null) {
if (domainId == null) {
throw new InvalidParameterValueException("Project must be specified with domainId parameter");
}
Project project = _projectService.findByNameAndDomainId(projectName, domainId);
if (project != null) {
return project.getProjectAccountId();
} else {
throw new InvalidParameterValueException("Unable to find project by name " + project + " in domain id=" + domainId);
}
}
return null;
}
}

5
api/src/com/cloud/api/commands/ListResourceLimitsCmd.java
View File

@ -43,6 +43,9 @@ public class ListResourceLimitsCmd extends BaseListCmd {
@Parameter(name=ApiConstants.ACCOUNT, type=CommandType.STRING, description="Lists resource limits by account. Must be used with the domainId parameter.")
private String accountName;
@Parameter(name=ApiConstants.PROJECT, type=CommandType.STRING, description="Lists resource limits by project. Must be used with the domainId parameter.")
private String projectName;
@Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="Lists resource limits by domain ID. If used with the account parameter, lists resource limits for a specified account in a specified domain.")
private Long domainId;
@ -88,7 +91,7 @@ public class ListResourceLimitsCmd extends BaseListCmd {
@Override
public void execute(){
List<? extends ResourceLimit> result = _resourceLimitService.searchForLimits(id, accountName, domainId, resourceType, this.getStartIndex(), this.getPageSizeVal());
List<? extends ResourceLimit> result = _resourceLimitService.searchForLimits(id, getAccountId(accountName, projectName, domainId), domainId, resourceType, this.getStartIndex(), this.getPageSizeVal());
ListResponse<ResourceLimitResponse> response = new ListResponse<ResourceLimitResponse>();
List<ResourceLimitResponse> limitResponses = new ArrayList<ResourceLimitResponse>();
for (ResourceLimit limit : result) {

62
api/src/com/cloud/api/commands/UpdateResourceLimitCmd.java
View File

@ -26,11 +26,8 @@ import com.cloud.api.Implementation;
import com.cloud.api.Parameter;
import com.cloud.api.ServerApiException;
import com.cloud.api.response.ResourceLimitResponse;
import com.cloud.configuration.Resource.ResourceOwnerType;
import com.cloud.configuration.ResourceLimit;
import com.cloud.exception.InvalidParameterValueException;
import com.cloud.user.Account;
import com.cloud.utils.Pair;
@Implementation(description="Updates resource limits for an account or domain.", responseObject=ResourceLimitResponse.class)
public class UpdateResourceLimitCmd extends BaseCmd {
@ -49,8 +46,8 @@ public class UpdateResourceLimitCmd extends BaseCmd {
@Parameter(name=ApiConstants.DOMAIN_ID, type=CommandType.LONG, description="Update resource limits for all accounts in specified domain. If used with the account parameter, updates resource limits for a specified account in specified domain.")
private Long domainId;
@Parameter(name=ApiConstants.PROJECT_ID, type=CommandType.LONG, description="Update resource limits for project")
private Long projectId;
@Parameter(name=ApiConstants.PROJECT, type=CommandType.STRING, description="Update resource limits for project")
private String projectName;
@Parameter(name=ApiConstants.MAX, type=CommandType.LONG, description=" Maximum resource limit.")
private Long max;
@ -65,51 +62,15 @@ public class UpdateResourceLimitCmd extends BaseCmd {
/////////////////////////////////////////////////////
/////////////////// Accessors ///////////////////////
/////////////////////////////////////////////////////
public Pair<Long, ResourceOwnerType> getOwner() {
Long ownerId = null;
ResourceOwnerType resourceOwnerType = null;
if (domainId != null) {
if (_domainService.getDomain(domainId) == null) {
throw new InvalidParameterValueException("Unable to find domain by id=" + domainId);
}
if (accountName != null) {
Account account = _accountService.getActiveAccountByName(accountName, domainId);
if (account != null) {
ownerId = account.getId();
resourceOwnerType = ResourceOwnerType.Account;
} else {
throw new InvalidParameterValueException("Unable to find account by name " + accountName + " in domain id=" + domainId);
}
} else {
ownerId = domainId;
resourceOwnerType = ResourceOwnerType.Domain;
}
} else if (projectId != null){
if (_projectService.getProject(projectId) == null) {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
//TODO - get domainId associated with the project
ownerId = projectId;
resourceOwnerType = ResourceOwnerType.Domain;
}
if (ownerId == null) {
throw new InvalidParameterValueException("Please specify projectId or domainId or domainId/accountName");
}
return new Pair<Long, ResourceOwnerType>(ownerId, resourceOwnerType);
}
public Long getMax() {
return max;
}
public Long getDomainId() {
return domainId;
}
public Integer getResourceType() {
return resourceType;
}
@ -125,12 +86,17 @@ public class UpdateResourceLimitCmd extends BaseCmd {
@Override
public long getEntityOwnerId() {
return getOwner().first();
Long accountId = getAccountId(accountName, projectName, domainId);
if (accountId != null) {
return accountId;
}
return Account.ACCOUNT_ID_SYSTEM;
}
@Override
public void execute(){
ResourceLimit result = _resourceLimitService.updateResourceLimit(getOwner().first(), getOwner().second(), resourceType, max);
ResourceLimit result = _resourceLimitService.updateResourceLimit(getAccountId(accountName, projectName, domainId), getDomainId(), resourceType, max);
if (result != null || (result == null && max != null && max.longValue() == -1L)){
ResourceLimitResponse response = _responseGenerator.createResourceLimitResponse(result);
response.setResponseName(getCommandName());

12
api/src/com/cloud/api/response/ControlledEntityResponse.java Normal file
View File

@ -0,0 +1,12 @@
package com.cloud.api.response;
public interface ControlledEntityResponse {
public void setAccountName(String accountName);
public void setProjectName(String projectName);
public void setDomainId(Long domainId);
public void setDomainName(String domainName);
}

37
api/src/com/cloud/api/response/ResourceLimitResponse.java
View File

@ -17,10 +17,12 @@
*/
package com.cloud.api.response;
import com.cloud.api.ApiConstants;
import com.cloud.serializer.Param;
import com.google.gson.annotations.SerializedName;
public class ResourceLimitResponse extends BaseResponse {
@SuppressWarnings("unused")
public class ResourceLimitResponse extends BaseResponse implements ControlledEntityResponse {
@SerializedName("account") @Param(description="the account of the resource limit")
private String accountName;
@ -35,43 +37,34 @@ public class ResourceLimitResponse extends BaseResponse {
@SerializedName("max") @Param(description="the maximum number of the resource. A -1 means the resource currently has no limit.")
private Long max;
@SerializedName(ApiConstants.PROJECT) @Param(description="the project name of the resource limit")
private String projectName;
public String getAccountName() {
return accountName;
}
@Override
public void setAccountName(String accountName) {
this.accountName = accountName;
}
public Long getDomainId() {
return domainId;
@Override
public void setProjectName(String projectName) {
this.projectName = projectName;
}
@Override
public void setDomainId(Long domainId) {
this.domainId = domainId;
}
public String getDomainName() {
return domainName;
}
@Override
public void setDomainName(String domainName) {
this.domainName = domainName;
}
public String getResourceType() {
return resourceType;
}
public void setResourceType(String resourceType) {
this.resourceType = resourceType;
}
public Long getMax() {
return max;
}
public void setMax(Long max) {
this.max = max;
}

2
api/src/com/cloud/projects/Project.java
View File

@ -36,7 +36,7 @@ public interface Project extends PartOf{
String getName();
public long getProjectAccountId();
long getProjectAccountId();
long getProjectDomainId();

4
api/src/com/cloud/projects/ProjectAccount.java
View File

@ -11,4 +11,8 @@ public interface ProjectAccount {
Role getAccountRole();
long getId();
long getProjectAccountId();
long getProjectDomainId();
}

6
api/src/com/cloud/projects/ProjectService.java
View File

@ -43,4 +43,10 @@ public interface ProjectService {
Account getProjectOwner(long projectId);
boolean unassignAccountFromProject(long projectId, long accountId);
Project findByProjectDomainId(long projectDomainId);
Project findByProjectAccountId(long projectAccountId);
Project findByNameAndDomainId(String name, long domainId);
}

14
api/src/com/cloud/user/ResourceLimitService.java
View File

@ -20,7 +20,6 @@ package com.cloud.user;
import java.util.List;
import com.cloud.api.commands.UpdateResourceCountCmd;
import com.cloud.configuration.Resource.ResourceOwnerType;
import com.cloud.configuration.Resource.ResourceType;
import com.cloud.configuration.ResourceCount;
import com.cloud.configuration.ResourceLimit;
@ -31,15 +30,14 @@ public interface ResourceLimitService {
/**
* Updates an existing resource limit with the specified details. If a limit doesn't exist, will create one.
*
* @param ownerId
* the command that wraps the domainId, accountId, type, and max parameters
* @param ownerType TODO
* @param accountId TODO
* @param domainId TODO
* @param resourceType TODO
* @param max TODO
*
* @return the updated/created resource limit
*/
ResourceLimit updateResourceLimit(Long ownerId, ResourceOwnerType ownerType, Integer resourceType, Long max);
ResourceLimit updateResourceLimit(Long accountId, Long domainId, Integer resourceType, Long max);
/**
* Updates an existing resource count details for the account/domain
@ -53,12 +51,12 @@ public interface ResourceLimitService {
/**
* Search for resource limits for the given id and/or account and/or type and/or domain.
* @param id TODO
* @param accountName TODO
* @param accountId TODO
* @param domainId TODO
* @param type TODO
* @return a list of limits that match the criteria
*/
public List<? extends ResourceLimit> searchForLimits(Long id, String accountName, Long domainId, Integer type, Long startIndex, Long pageSizeVal);
public List<? extends ResourceLimit> searchForLimits(Long id, Long accountId, Long domainId, Integer type, Long startIndex, Long pageSizeVal);
/**
* Finds the resource limit for a specified account and type. If the account has an infinite limit, will check

11
core/src/com/cloud/configuration/ResourceCountVO.java
View File

@ -28,6 +28,8 @@ import javax.persistence.Id;
import javax.persistence.Table;
import javax.persistence.Transient;
import com.cloud.configuration.Resource.ResourceOwnerType;
@Entity
@Table(name="resource_count")
public class ResourceCountVO implements ResourceCount {
@ -50,8 +52,6 @@ public class ResourceCountVO implements ResourceCount {
@Column(name="count")
private long count;
@Transient
private ResourceOwnerType ownerType;
public ResourceCountVO(){}
@ -64,7 +64,6 @@ public class ResourceCountVO implements ResourceCount {
} else if (ownerType == ResourceOwnerType.Domain) {
this.domainId = ownerId;
}
this.ownerType = ownerType;
}
@Override
@ -118,7 +117,11 @@ public class ResourceCountVO implements ResourceCount {
@Override
public ResourceOwnerType getResourceOwnerType() {
return ownerType;
if (accountId != null) {
return ResourceOwnerType.Account;
} else {
return ResourceOwnerType.Domain;
}
}
public void setDomainId(Long domainId) {

9
core/src/com/cloud/configuration/ResourceLimitVO.java
View File

@ -49,9 +49,6 @@ public class ResourceLimitVO implements ResourceLimit {
@Column(name="max")
private Long max;
@Transient
private ResourceOwnerType ownerType;
public ResourceLimitVO() {}
@ -113,7 +110,11 @@ public class ResourceLimitVO implements ResourceLimit {
@Override
public ResourceOwnerType getResourceOwnerType() {
return ownerType;
if (accountId != null) {
return ResourceOwnerType.Account;
} else {
return ResourceOwnerType.Domain;
}
}
public void setDomainId(Long domainId) {

47
server/src/com/cloud/acl/DomainChecker.java
View File

@ -27,6 +27,8 @@ import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException;
import com.cloud.offering.DiskOffering;
import com.cloud.offering.ServiceOffering;
import com.cloud.projects.Project;
import com.cloud.projects.ProjectManager;
import com.cloud.storage.LaunchPermissionVO;
import com.cloud.storage.dao.LaunchPermissionDao;
import com.cloud.template.VirtualMachineTemplate;
@ -42,23 +44,38 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Inject DomainDao _domainDao;
@Inject AccountDao _accountDao;
@Inject LaunchPermissionDao _launchPermissionDao;
@Inject ProjectManager _projectMgr;
protected DomainChecker() {
super();
}
@Override
public boolean checkAccess(Account account, Domain domain) throws PermissionDeniedException {
if (account.getState() != Account.State.enabled) {
throw new PermissionDeniedException(account + " is disabled.");
public boolean checkAccess(Account caller, Domain domain) throws PermissionDeniedException {
if (caller.getState() != Account.State.enabled) {
throw new PermissionDeniedException(caller + " is disabled.");
}
long domainId = domain.getId();
if (domain.getType() == Domain.Type.Project) {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (!_projectMgr.canAccessDomain(caller, domainId)){
throw new PermissionDeniedException(caller + " does not have permission to operate within " + domain);
}
return true;
} else {
//need to check the domain the project belongs to
Project project = _projectMgr.findByProjectDomainId(domainId);
domainId = project.getProjectDomainId();
}
}
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (account.getDomainId() != domain.getId()) {
throw new PermissionDeniedException(account + " does not have permission to operate within " + domain);
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (caller.getDomainId() != domainId) {
throw new PermissionDeniedException(caller + " does not have permission to operate within " + domain);
}
} else if (!_domainDao.isChildDomain(account.getDomainId(), domain.getId())) {
throw new PermissionDeniedException(account + " does not have permission to operate within " + domain);
} else if (!_domainDao.isChildDomain(caller.getDomainId(), domainId)) {
throw new PermissionDeniedException(caller + " does not have permission to operate within " + domain);
}
return true;
@ -103,9 +120,17 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
return true;
} else {
if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
if (caller.getId() != entity.getAccountId()) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
Account account = _accountDao.findById(entity.getAccountId());
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
if (!_projectMgr.canAccessAccount(caller, account.getId())){
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else {
if (caller.getId() != entity.getAccountId()) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
}
}
}

13
server/src/com/cloud/api/ApiDBUtils.java
View File

@ -72,6 +72,7 @@ import com.cloud.network.security.dao.SecurityGroupDao;
import com.cloud.offering.ServiceOffering;
import com.cloud.offerings.NetworkOfferingVO;
import com.cloud.offerings.dao.NetworkOfferingDao;
import com.cloud.projects.Project;
import com.cloud.projects.ProjectService;
import com.cloud.server.Criteria;
import com.cloud.server.ManagementServer;
@ -631,4 +632,16 @@ public class ApiDBUtils {
public static Account getProjectOwner(long projectId) {
return _projectMgr.getProjectOwner(projectId);
}
public static Project findProjectByProjectDomainId(long projectDomainId) {
return _projectMgr.findByProjectDomainId(projectDomainId);
}
public static Project findProjectByProjectAccountId(long projectAccountId) {
return _projectMgr.findByProjectAccountId(projectAccountId);
}
public static Project findProjectById(long projectId) {
return _projectMgr.getProject(projectId);
}
}

50
server/src/com/cloud/api/ApiResponseHelper.java
View File

@ -31,6 +31,7 @@ import java.util.StringTokenizer;
import org.apache.log4j.Logger;
import com.cloud.acl.ControlledEntity;
import com.cloud.api.commands.QueryAsyncJobResultCmd;
import com.cloud.api.response.AccountResponse;
import com.cloud.api.response.ApiResponseSerializer;
@ -39,6 +40,7 @@ import com.cloud.api.response.CapabilityResponse;
import com.cloud.api.response.CapacityResponse;
import com.cloud.api.response.ClusterResponse;
import com.cloud.api.response.ConfigurationResponse;
import com.cloud.api.response.ControlledEntityResponse;
import com.cloud.api.response.CreateCmdResponse;
import com.cloud.api.response.DiskOfferingResponse;
import com.cloud.api.response.DomainResponse;
@ -390,16 +392,12 @@ public class ApiResponseHelper implements ResponseGenerator {
@Override
public ResourceLimitResponse createResourceLimitResponse(ResourceLimit limit) {
ResourceLimitResponse resourceLimitResponse = new ResourceLimitResponse();
if (limit.getResourceOwnerType() == ResourceOwnerType.Domain) {
resourceLimitResponse.setDomainId(limit.getOwnerId());
resourceLimitResponse.setDomainName(ApiDBUtils.findDomainById(limit.getOwnerId()).getName());
if (limit.getResourceOwnerType() == ResourceOwnerType.Domain) {
populateDomain(resourceLimitResponse, limit.getOwnerId());
} else if (limit.getResourceOwnerType() == ResourceOwnerType.Account) {
Account accountTemp = ApiDBUtils.findAccountById(limit.getOwnerId());
if (accountTemp != null) {
resourceLimitResponse.setAccountName(accountTemp.getAccountName());
resourceLimitResponse.setDomainId(accountTemp.getDomainId());
resourceLimitResponse.setDomainName(ApiDBUtils.findDomainById(accountTemp.getDomainId()).getName());
}
populateAccount(resourceLimitResponse, limit.getOwnerId());
populateDomain(resourceLimitResponse, accountTemp.getDomainId());
}
resourceLimitResponse.setResourceType(Integer.valueOf(limit.getType().getOrdinal()).toString());
resourceLimitResponse.setMax(limit.getMax());
@ -2430,5 +2428,39 @@ public class ApiResponseHelper implements ResponseGenerator {
hpvCapabilitiesResponse.setMaxGuestsLimit(hpvCapabilities.getMaxGuestsLimit());
return hpvCapabilitiesResponse;
}
private void populateOwner(ControlledEntityResponse response, ControlledEntity object) {
Account account = ApiDBUtils.findAccountById(object.getAccountId());
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
//find the project
Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId());
response.setProjectName(project.getName());
} else {
response.setAccountName(account.getAccountName());
}
Domain domain = ApiDBUtils.findDomainById(object.getDomainId());
response.setDomainId(domain.getId());
response.setDomainName(domain.getName());
}
private void populateAccount(ControlledEntityResponse response, long accountId) {
Account account = ApiDBUtils.findAccountById(accountId);
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
//find the project
Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId());
response.setProjectName(project.getName());
} else {
response.setAccountName(account.getAccountName());
}
}
private void populateDomain(ControlledEntityResponse response, long domainId) {
Domain domain = ApiDBUtils.findDomainById(domainId);
response.setDomainId(domain.getId());
response.setDomainName(domain.getName());
}
}

19
server/src/com/cloud/projects/ProjectAccountVO.java
View File

@ -43,6 +43,12 @@ public class ProjectAccountVO implements ProjectAccount{
@Column(name="account_role")
@Enumerated(value=EnumType.STRING)
private Role accountRole = Role.Regular;
@Column(name="project_account_id")
long projectAccountId;
@Column(name="project_domain_id")
long projectDomainId;
protected ProjectAccountVO(){
@ -52,6 +58,8 @@ public class ProjectAccountVO implements ProjectAccount{
this.accountId = accountId;
this.accountRole = accountRole;
this.projectId = project.getId();
this.projectAccountId = project.getProjectAccountId();
this.projectDomainId = project.getProjectDomainId();
}
@Override
@ -74,6 +82,13 @@ public class ProjectAccountVO implements ProjectAccount{
return accountRole;
}
@Override
public long getProjectAccountId() {
return projectAccountId;
}
@Override
public long getProjectDomainId() {
return projectDomainId;
}
}

7
server/src/com/cloud/projects/ProjectManager.java
View File

@ -1,6 +1,9 @@
package com.cloud.projects;
import com.cloud.user.Account;
public interface ProjectManager extends ProjectService {
ProjectVO findByProjectDomainId(long projectDomainId);
ProjectVO findByProjectAccountId(long projectAccountId);
boolean canAccessAccount(Account caller, long accountId);
boolean canAccessDomain(Account caller, long domainId);
}

15
server/src/com/cloud/projects/ProjectManagerImpl.java
View File

@ -316,5 +316,20 @@ public class ProjectManagerImpl implements ProjectManager, Manager{
public ProjectVO findByProjectAccountId(long projectAccountId) {
return _projectDao.findByProjectAccountId(projectAccountId);
}
@Override
public Project findByNameAndDomainId(String name, long domainId) {
return _projectDao.findByNameAndDomain(name, domainId);
}
@Override
public boolean canAccessAccount(Account caller, long accountId) {
return _projectAccountDao.canAccessAccount(caller.getId(), accountId);
}
@Override
public boolean canAccessDomain(Account caller, long domainId) {
return _projectAccountDao.canAccessDomain(caller.getId(), domainId);
}
}

3
server/src/com/cloud/projects/dao/ProjectAccountDao.java
View File

@ -10,4 +10,7 @@ public interface ProjectAccountDao extends GenericDao<ProjectAccountVO, Long>{
List<ProjectAccountVO> listByProjectId(long projectId);
ProjectAccountVO findByProjectIdAccountId(long projectId, long accountId);
boolean canAccessAccount(long accountId, long projectAccountId);
boolean canAccessDomain(long accountId, long projectDomainId);
}

28
server/src/com/cloud/projects/dao/ProjectAccountDaoImpl.java
View File

@ -24,6 +24,8 @@ public class ProjectAccountDaoImpl extends GenericDaoBase<ProjectAccountVO, Long
AllFieldsSearch.and("role", AllFieldsSearch.entity().getAccountRole(), SearchCriteria.Op.EQ);
AllFieldsSearch.and("projectId", AllFieldsSearch.entity().getProjectId(), SearchCriteria.Op.EQ);
AllFieldsSearch.and("accountId", AllFieldsSearch.entity().getAccountId(), SearchCriteria.Op.EQ);
AllFieldsSearch.and("projectAccountId", AllFieldsSearch.entity().getProjectAccountId(), SearchCriteria.Op.EQ);
AllFieldsSearch.and("projectDomainId", AllFieldsSearch.entity().getProjectDomainId(), SearchCriteria.Op.EQ);
AllFieldsSearch.done();
}
@ -53,4 +55,30 @@ public class ProjectAccountDaoImpl extends GenericDaoBase<ProjectAccountVO, Long
return findOneBy(sc);
}
@Override
public boolean canAccessAccount(long accountId, long projectAccountId) {
SearchCriteria<ProjectAccountVO> sc = AllFieldsSearch.create();
sc.setParameters("accountId", accountId);
sc.setParameters("projectAccountId", projectAccountId);
if (findOneBy(sc) != null) {
return true;
} else {
return false;
}
}
@Override
public boolean canAccessDomain(long accountId, long projectDomainId) {
SearchCriteria<ProjectAccountVO> sc = AllFieldsSearch.create();
sc.setParameters("accountId", accountId);
sc.setParameters("projectDomainId", projectDomainId);
if (findOneBy(sc) != null) {
return true;
} else {
return false;
}
}
}

47
server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java
View File

@ -306,13 +306,11 @@ public class ResourceLimitManagerImpl implements ResourceLimitService, Manager{
}
@Override
public List<ResourceLimitVO> searchForLimits(Long id, String accountName, Long domainId, Integer type, Long startIndex, Long pageSizeVal) {
public List<ResourceLimitVO> searchForLimits(Long id, Long accountId, Long domainId, Integer type, Long startIndex, Long pageSizeVal) {
Account caller = UserContext.current().getCaller();
List<ResourceLimitVO> limits = new ArrayList<ResourceLimitVO>();
boolean isAccount = true;
Long accountId = null;
if (!_accountMgr.isAdmin(caller.getType())) {
accountId = caller.getId();
domainId = null;
@ -327,17 +325,15 @@ public class ResourceLimitManagerImpl implements ResourceLimitService, Manager{
_accountMgr.checkAccess(caller, domain);
if (accountName != null) {
if (accountId != null) {
//Verify account information and permissions
Account account = _accountDao.findAccount(accountName, domainId);
Account account = _accountDao.findById(accountId);
if (account == null) {
//return empty set
return limits;
}
_accountMgr.checkAccess(caller, null, account);
accountId = account.getId();
domainId = null;
}
}
@ -455,7 +451,7 @@ public class ResourceLimitManagerImpl implements ResourceLimitService, Manager{
}
@Override
public ResourceLimitVO updateResourceLimit(Long ownerId, ResourceOwnerType ownerType, Integer typeId, Long max) {
public ResourceLimitVO updateResourceLimit(Long accountId, Long domainId, Integer typeId, Long max) {
Account caller = UserContext.current().getCaller();
if (max == null) {
@ -477,29 +473,40 @@ public class ResourceLimitManagerImpl implements ResourceLimitService, Manager{
}
}
if (ownerType == ResourceOwnerType.Domain) {
Domain domain = _entityMgr.findById(Domain.class, ownerId);
ResourceOwnerType ownerType = null;
Long ownerId = null;
if (accountId != null) {
Account account = _entityMgr.findById(Account.class, accountId);
if (account.getType() == Account.ACCOUNT_ID_SYSTEM) {
throw new InvalidParameterValueException("Can't update system account");
}
_accountMgr.checkAccess(caller, null, account);
ownerType = ResourceOwnerType.Account;
ownerId = accountId;
} else if (domainId != null) {
Domain domain = _entityMgr.findById(Domain.class, domainId);
_accountMgr.checkAccess(caller, domain);
if ((caller.getDomainId() == ownerId.longValue()) && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
if ((caller.getDomainId() == domainId.longValue()) && caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
// if the admin is trying to update their own domain, disallow...
throw new PermissionDeniedException("Unable to update resource limit for domain " + ownerId + ", permission denied");
throw new PermissionDeniedException("Unable to update resource limit for domain " + domainId + ", permission denied");
}
Long parentDomainId = domain.getParent();
if (parentDomainId != null) {
DomainVO parentDomain = _domainDao.findById(parentDomainId);
long parentMaximum = findCorrectResourceLimitForDomain(parentDomain, resourceType);
if ((parentMaximum >= 0) && (max.longValue() > parentMaximum)) {
throw new InvalidParameterValueException("Domain " + domain.getName() + "(id: " + ownerId + ") has maximum allowed resource limit " + parentMaximum + " for " + resourceType
throw new InvalidParameterValueException("Domain " + domain.getName() + "(id: " + parentDomain.getId() + ") has maximum allowed resource limit " + parentMaximum + " for " + resourceType
+ ", please specify a value less that or equal to " + parentMaximum);
}
}
} else if (ownerType == ResourceOwnerType.Account) {
Account account = _entityMgr.findById(Account.class, ownerId);
if (account.getType() == Account.ACCOUNT_ID_SYSTEM) {
throw new InvalidParameterValueException("Can't update system account");
}
_accountMgr.checkAccess(caller, null, account);
ownerType = ResourceOwnerType.Domain;
ownerId = domainId;
}
if (ownerId == null) {
throw new InvalidParameterValueException("AccountId or domainId have to be specified in order to update resource limit");
}
ResourceLimitVO limit = _resourceLimitDao.findByOwnerIdAndType(ownerId, ownerType, resourceType);