RootAdmin and DomainAdmin access check via IAM

2025-11-02 20:02:29 +01:00 · 2014-01-10 17:06:10 -08:00 · 2014-01-10 17:06:10 -08:00 · 6cd121fe7b
commit 6cd121fe7b
parent 4bb31c2044
2 changed files with 26 additions and 4 deletions
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@ -360,17 +360,28 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
    @Override
    public boolean isRootAdmin(long accountId) {
        AccountVO acct = _accountDao.findById(accountId);
-        if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_ADMIN) {
-            return true;
+        for (SecurityChecker checker : _securityCheckers) {
+            if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                }
+                return true;
+            }
        }
+
        return false;
    }

    @Override
    public boolean isDomainAdmin(long accountId) {
        AccountVO acct = _accountDao.findById(accountId);
-        if (acct != null && acct.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
-            return true;
+        for (SecurityChecker checker : _securityCheckers) {
+            if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+                }
+                return true;
+            }
        }
        return false;
    }
--- a/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/acl/RoleBasedEntityAccessChecker.java
@ -57,6 +57,17 @@ public class RoleBasedEntityAccessChecker extends DomainChecker implements Secur
    public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
            throws PermissionDeniedException {

+        if (entity == null && action != null) {
+            // check if caller can do this action
+            List<AclPolicy> policies = _iamSrv.listAclPolicies(caller.getAccountId());
+
+            boolean isAllowed = _iamSrv.isActionAllowedForPolicies(action, policies);
+            if (!isAllowed) {
+                throw new PermissionDeniedException("The action '" + action + "' not allowed for account " + caller);
+            }
+            return true;
+        }
+
        String entityType = entity.getEntityType().toString();

        if (accessType == null) {