CLOUDSTACK-4337 Dedicated Resources: Zone dedicated to an account should only be visible and accessible to that account

Changes: - When listing a zone, add clause in the search to check the account_id for a dedicated zone - When listsing a zone with a domainid, add a similar clause. - DomainCheck:: checkAccess() for a zone should consider that zone can now be dediacted to a specific account and check access accordingly. Conflicts: server/src/com/cloud/api/query/vo/DataCenterJoinVO.java setup/db/db/schema-410to420.sql
2025-10-26 08:42:29 +01:00 · 2013-09-03 13:38:16 -07:00 · 2013-09-03 13:38:16 -07:00 · 6a0bda0280
commit 6a0bda0280
parent 012afceed2
4 changed files with 94 additions and 3 deletions
--- a/server/src/com/cloud/acl/DomainChecker.java
+++ b/server/src/com/cloud/acl/DomainChecker.java
@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd;
 import org.springframework.stereotype.Component;

 import com.cloud.dc.DataCenter;
+import com.cloud.dc.DedicatedResourceVO;
+import com.cloud.dc.dao.DedicatedResourceDao;
 import com.cloud.domain.Domain;
 import com.cloud.domain.dao.DomainDao;
 import com.cloud.exception.PermissionDeniedException;
@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
    @Inject ProjectManager _projectMgr;
    @Inject ProjectAccountDao _projecAccountDao;
    @Inject NetworkModel _networkMgr;
+    @Inject
+    private DedicatedResourceDao _dedicatedDao;
    
    protected DomainChecker() {
        super();
@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
 			//if account is normal user
 			//check if account's domain is a child of zone's domain
            else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
+                // if zone is dedicated to an account check that the accountId
+                // matches.
+                DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
+                if (dedicatedZone != null) {
+                    if (dedicatedZone.getAccountId() != null) {
+                        if (dedicatedZone.getAccountId() == account.getId()) {
+                            return true;
+                        } else {
+                            return false;
+                        }
+                    }
+                }
                if (account.getDomainId() == zone.getDomainId()) {
 					return true; //zone and account at exact node
                } else {
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@ -2499,11 +2499,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
             * List all resources due to Explicit Dedication except the
             * dedicated resources of other account
             */
-            if (domainId != null && account.getType() == Account.ACCOUNT_TYPE_ADMIN) { //
+            if (domainId != null) { //
                // for domainId != null // right now, we made the decision to
-                // only
-                // / list zones associated // with this domain, private zone
+                // only list zones associated // with this domain, private zone
                sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
+
+                if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
+                    // accountId == null (zones dedicated to a domain) or
+                    // accountId = caller
+                    SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
+                    sdc.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                    sdc.addOr("accountId", SearchCriteria.Op.NULL);
+
+                    sc.addAnd("account", SearchCriteria.Op.SC, sdc);
+                }
+
            } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                // it was decided to return all zones for the user's domain, and
                // everything above till root
@ -2535,6 +2545,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
                // remove disabled zones
                sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled);

+                // accountId == null (zones dedicated to a domain) or
+                // accountId = caller
+                SearchCriteria<DataCenterJoinVO> sdc2 = _dcJoinDao.createSearchCriteria();
+                sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
+                sdc2.addOr("accountId", SearchCriteria.Op.NULL);
+
+                sc.addAnd("account", SearchCriteria.Op.SC, sdc2);
+
                // remove Dedicated zones not dedicated to this domainId or
                // subdomainId
                List<Long> dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds);
--- a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
+++ b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
@ -108,6 +108,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
    @Column(name="domain_path")
    private String domainPath;

+    @Column(name = "affinity_group_id")
+    private long affinityGroupId;
+
+    @Column(name = "affinity_group_uuid")
+    private String affinityGroupUuid;
+
+    @Column(name = "account_id")
+    private long accountId;
+

    public DataCenterJoinVO() {
    }
@ -303,4 +312,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
 	}


+    public String getAffinityGroupUuid() {
+        return affinityGroupUuid;
+    }
+
+    public long getAccountId() {
+        return accountId;
+    }
+
+    public void setAccountId(long accountId) {
+        this.accountId = accountId;
+    }
 }
--- a/setup/db/db/schema-410to420.sql
+++ b/setup/db/db/schema-410to420.sql
@ -2338,3 +2338,40 @@ CREATE TABLE `cloud`.`ldap_configuration` (
  PRIMARY KEY  (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

+DROP VIEW IF EXISTS `cloud`.`data_center_view`;
+CREATE VIEW `cloud`.`data_center_view` AS
+    select 
+        data_center.id,
+        data_center.uuid,
+        data_center.name,
+        data_center.is_security_group_enabled,
+        data_center.is_local_storage_enabled,
+        data_center.description,
+        data_center.dns1,
+        data_center.dns2,
+        data_center.ip6_dns1,
+        data_center.ip6_dns2,
+        data_center.internal_dns1,
+        data_center.internal_dns2,
+        data_center.guest_network_cidr,
+        data_center.domain,
+        data_center.networktype,
+        data_center.allocation_state,
+        data_center.zone_token,
+        data_center.dhcp_provider,
+        data_center.removed,
+        domain.id domain_id,
+        domain.uuid domain_uuid,
+        domain.name domain_name,
+        domain.path domain_path,
+		dedicated_resources.affinity_group_id,
+		dedicated_resources.account_id,
+		affinity_group.uuid affinity_group_uuid
+    from
+        `cloud`.`data_center`
+            left join
+        `cloud`.`domain` ON data_center.domain_id = domain.id
+			left join
+        `cloud`.`dedicated_resources` ON data_center.id = dedicated_resources.data_center_id
+			left join
+        `cloud`.`affinity_group` ON dedicated_resources.affinity_group_id = affinity_group.id;