From 6a0bda0280e68dcee30ecb6a87db4e38fd1df744 Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Tue, 3 Sep 2013 13:38:16 -0700 Subject: [PATCH] CLOUDSTACK-4337 Dedicated Resources: Zone dedicated to an account should only be visible and accessible to that account Changes: - When listing a zone, add clause in the search to check the account_id for a dedicated zone - When listsing a zone with a domainid, add a similar clause. - DomainCheck:: checkAccess() for a zone should consider that zone can now be dediacted to a specific account and check access accordingly. Conflicts: server/src/com/cloud/api/query/vo/DataCenterJoinVO.java setup/db/db/schema-410to420.sql --- server/src/com/cloud/acl/DomainChecker.java | 16 ++++++++ .../com/cloud/api/query/QueryManagerImpl.java | 24 ++++++++++-- .../cloud/api/query/vo/DataCenterJoinVO.java | 20 ++++++++++ setup/db/db/schema-410to420.sql | 37 +++++++++++++++++++ 4 files changed, 94 insertions(+), 3 deletions(-) diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 78ebe6ee809..7b47bae4f25 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd; import org.springframework.stereotype.Component; import com.cloud.dc.DataCenter; +import com.cloud.dc.DedicatedResourceVO; +import com.cloud.dc.dao.DedicatedResourceDao; import com.cloud.domain.Domain; import com.cloud.domain.dao.DomainDao; import com.cloud.exception.PermissionDeniedException; @@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { @Inject ProjectManager _projectMgr; @Inject ProjectAccountDao _projecAccountDao; @Inject NetworkModel _networkMgr; + @Inject + private DedicatedResourceDao _dedicatedDao; protected DomainChecker() { super(); @@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { //if account is normal user //check if account's domain is a child of zone's domain else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) { + // if zone is dedicated to an account check that the accountId + // matches. + DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId()); + if (dedicatedZone != null) { + if (dedicatedZone.getAccountId() != null) { + if (dedicatedZone.getAccountId() == account.getId()) { + return true; + } else { + return false; + } + } + } if (account.getDomainId() == zone.getDomainId()) { return true; //zone and account at exact node } else { diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 2e716bc9f0b..a2a57fa9e7f 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -2499,11 +2499,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { * List all resources due to Explicit Dedication except the * dedicated resources of other account */ - if (domainId != null && account.getType() == Account.ACCOUNT_TYPE_ADMIN) { // + if (domainId != null) { // // for domainId != null // right now, we made the decision to - // only - // / list zones associated // with this domain, private zone + // only list zones associated // with this domain, private zone sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId); + + if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) { + // accountId == null (zones dedicated to a domain) or + // accountId = caller + SearchCriteria sdc = _dcJoinDao.createSearchCriteria(); + sdc.addOr("accountId", SearchCriteria.Op.EQ, account.getId()); + sdc.addOr("accountId", SearchCriteria.Op.NULL); + + sc.addAnd("account", SearchCriteria.Op.SC, sdc); + } + } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) { // it was decided to return all zones for the user's domain, and // everything above till root @@ -2535,6 +2545,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // remove disabled zones sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled); + // accountId == null (zones dedicated to a domain) or + // accountId = caller + SearchCriteria sdc2 = _dcJoinDao.createSearchCriteria(); + sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId()); + sdc2.addOr("accountId", SearchCriteria.Op.NULL); + + sc.addAnd("account", SearchCriteria.Op.SC, sdc2); + // remove Dedicated zones not dedicated to this domainId or // subdomainId List dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds); diff --git a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java index 84becf2cbe1..c6a80e7d5b2 100644 --- a/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java +++ b/server/src/com/cloud/api/query/vo/DataCenterJoinVO.java @@ -108,6 +108,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id @Column(name="domain_path") private String domainPath; + @Column(name = "affinity_group_id") + private long affinityGroupId; + + @Column(name = "affinity_group_uuid") + private String affinityGroupUuid; + + @Column(name = "account_id") + private long accountId; + public DataCenterJoinVO() { } @@ -303,4 +312,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id } + public String getAffinityGroupUuid() { + return affinityGroupUuid; + } + + public long getAccountId() { + return accountId; + } + + public void setAccountId(long accountId) { + this.accountId = accountId; + } } diff --git a/setup/db/db/schema-410to420.sql b/setup/db/db/schema-410to420.sql index 5887caaeb57..0180e50acae 100644 --- a/setup/db/db/schema-410to420.sql +++ b/setup/db/db/schema-410to420.sql @@ -2338,3 +2338,40 @@ CREATE TABLE `cloud`.`ldap_configuration` ( PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; +DROP VIEW IF EXISTS `cloud`.`data_center_view`; +CREATE VIEW `cloud`.`data_center_view` AS + select + data_center.id, + data_center.uuid, + data_center.name, + data_center.is_security_group_enabled, + data_center.is_local_storage_enabled, + data_center.description, + data_center.dns1, + data_center.dns2, + data_center.ip6_dns1, + data_center.ip6_dns2, + data_center.internal_dns1, + data_center.internal_dns2, + data_center.guest_network_cidr, + data_center.domain, + data_center.networktype, + data_center.allocation_state, + data_center.zone_token, + data_center.dhcp_provider, + data_center.removed, + domain.id domain_id, + domain.uuid domain_uuid, + domain.name domain_name, + domain.path domain_path, + dedicated_resources.affinity_group_id, + dedicated_resources.account_id, + affinity_group.uuid affinity_group_uuid + from + `cloud`.`data_center` + left join + `cloud`.`domain` ON data_center.domain_id = domain.id + left join + `cloud`.`dedicated_resources` ON data_center.id = dedicated_resources.data_center_id + left join + `cloud`.`affinity_group` ON dedicated_resources.affinity_group_id = affinity_group.id;