apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-4337 Dedicated Resources: Zone dedicated to an account should only be visible and accessible to that account

Browse Source 
Changes:
- When listing a zone, add clause in the search to check the account_id for a dedicated zone
- When listsing a zone with a domainid, add a similar clause.
- DomainCheck:: checkAccess() for a zone should consider that zone can now be dediacted to a specific account and check access accordingly.

Conflicts:

	server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
	setup/db/db/schema-410to420.sql
This commit is contained in:
Prachi Damle 2013-09-03 13:38:16 -07:00
parent 012afceed2
commit 6a0bda0280
4 changed files with 94 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
server/src/com/cloud/acl/DomainChecker.java
View File

@ -26,6 +26,8 @@ import org.apache.cloudstack.api.BaseCmd;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import com.cloud.dc.DataCenter; import com.cloud.dc.DataCenter;
import com.cloud.dc.DedicatedResourceVO;
import com.cloud.dc.dao.DedicatedResourceDao;
import com.cloud.domain.Domain; import com.cloud.domain.Domain;
import com.cloud.domain.dao.DomainDao; import com.cloud.domain.dao.DomainDao;
import com.cloud.exception.PermissionDeniedException; import com.cloud.exception.PermissionDeniedException;
@ -53,6 +55,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
@Inject ProjectManager _projectMgr; @Inject ProjectManager _projectMgr;
@Inject ProjectAccountDao _projecAccountDao; @Inject ProjectAccountDao _projecAccountDao;
@Inject NetworkModel _networkMgr; @Inject NetworkModel _networkMgr;
@Inject
private DedicatedResourceDao _dedicatedDao;
protected DomainChecker() { protected DomainChecker() {
super(); super();
@ -238,6 +242,18 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
//if account is normal user //if account is normal user
//check if account's domain is a child of zone's domain //check if account's domain is a child of zone's domain
else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) { else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
// if zone is dedicated to an account check that the accountId
// matches.
DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zone.getId());
if (dedicatedZone != null) {
if (dedicatedZone.getAccountId() != null) {
if (dedicatedZone.getAccountId() == account.getId()) {
return true;
} else {
return false;
}
}
}
if (account.getDomainId() == zone.getDomainId()) { if (account.getDomainId() == zone.getDomainId()) {
return true; //zone and account at exact node return true; //zone and account at exact node
} else { } else {

24
server/src/com/cloud/api/query/QueryManagerImpl.java
View File

@ -2499,11 +2499,21 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
* List all resources due to Explicit Dedication except the * List all resources due to Explicit Dedication except the
* dedicated resources of other account * dedicated resources of other account
*/ */
if (domainId != null && account.getType() == Account.ACCOUNT_TYPE_ADMIN) { // if (domainId != null) { //
// for domainId != null // right now, we made the decision to // for domainId != null // right now, we made the decision to
// only // only list zones associated // with this domain, private zone
// / list zones associated // with this domain, private zone
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId); sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
// accountId == null (zones dedicated to a domain) or
// accountId = caller
SearchCriteria<DataCenterJoinVO> sdc = _dcJoinDao.createSearchCriteria();
sdc.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
sdc.addOr("accountId", SearchCriteria.Op.NULL);
sc.addAnd("account", SearchCriteria.Op.SC, sdc);
}
} else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) { } else if (account.getType() == Account.ACCOUNT_TYPE_NORMAL) {
// it was decided to return all zones for the user's domain, and // it was decided to return all zones for the user's domain, and
// everything above till root // everything above till root
@ -2535,6 +2545,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
// remove disabled zones // remove disabled zones
sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled); sc.addAnd("allocationState", SearchCriteria.Op.NEQ, Grouping.AllocationState.Disabled);
// accountId == null (zones dedicated to a domain) or
// accountId = caller
SearchCriteria<DataCenterJoinVO> sdc2 = _dcJoinDao.createSearchCriteria();
sdc2.addOr("accountId", SearchCriteria.Op.EQ, account.getId());
sdc2.addOr("accountId", SearchCriteria.Op.NULL);
sc.addAnd("account", SearchCriteria.Op.SC, sdc2);
// remove Dedicated zones not dedicated to this domainId or // remove Dedicated zones not dedicated to this domainId or
// subdomainId // subdomainId
List<Long> dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds); List<Long> dedicatedZoneIds = removeDedicatedZoneNotSuitabe(domainIds);

20
server/src/com/cloud/api/query/vo/DataCenterJoinVO.java
View File

@ -108,6 +108,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
@Column(name="domain_path") @Column(name="domain_path")
private String domainPath; private String domainPath;
@Column(name = "affinity_group_id")
private long affinityGroupId;
@Column(name = "affinity_group_uuid")
private String affinityGroupUuid;
@Column(name = "account_id")
private long accountId;
public DataCenterJoinVO() { public DataCenterJoinVO() {
} }
@ -303,4 +312,15 @@ public class DataCenterJoinVO extends BaseViewVO implements InternalIdentity, Id
} }
public String getAffinityGroupUuid() {
return affinityGroupUuid;
}
public long getAccountId() {
return accountId;
}
public void setAccountId(long accountId) {
this.accountId = accountId;
}
} }

37
setup/db/db/schema-410to420.sql
View File

@ -2338,3 +2338,40 @@ CREATE TABLE `cloud`.`ldap_configuration` (
PRIMARY KEY (`id`) PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8; ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
DROP VIEW IF EXISTS `cloud`.`data_center_view`;
CREATE VIEW `cloud`.`data_center_view` AS
select
data_center.id,
data_center.uuid,
data_center.name,
data_center.is_security_group_enabled,
data_center.is_local_storage_enabled,
data_center.description,
data_center.dns1,
data_center.dns2,
data_center.ip6_dns1,
data_center.ip6_dns2,
data_center.internal_dns1,
data_center.internal_dns2,
data_center.guest_network_cidr,
data_center.domain,
data_center.networktype,
data_center.allocation_state,
data_center.zone_token,
data_center.dhcp_provider,
data_center.removed,
domain.id domain_id,
domain.uuid domain_uuid,
domain.name domain_name,
domain.path domain_path,
dedicated_resources.affinity_group_id,
dedicated_resources.account_id,
affinity_group.uuid affinity_group_uuid
from
`cloud`.`data_center`
left join
`cloud`.`domain` ON data_center.domain_id = domain.id
left join
`cloud`.`dedicated_resources` ON data_center.id = dedicated_resources.data_center_id
left join
`cloud`.`affinity_group` ON dedicated_resources.affinity_group_id = affinity_group.id;