mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
Account_Type Refactoring for Root Admin Role
- change the AccountService::isRootAdmin(short) to isRootAdmin(long accountId); - Change all callers - Change all places that check the account.getType() directly to call the AccountManagerImpl.
This commit is contained in:
Prachi Damle
parent
ddae23c168
commit
aba54356d5
@ -24,13 +24,6 @@ import org.apache.cloudstack.api.InternalIdentity;
|
||||
|
||||
|
||||
public interface Account extends ControlledEntity, InternalIdentity, Identity {
|
||||
public enum Type {
|
||||
Normal,
|
||||
Admin,
|
||||
DomainAdmin,
|
||||
CustomerCare,
|
||||
Project
|
||||
}
|
||||
|
||||
public enum State {
|
||||
disabled,
|
||||
|
||||
@ -86,7 +86,7 @@ public interface AccountService {
|
||||
|
||||
User getUserIncludingRemoved(long userId);
|
||||
|
||||
boolean isRootAdmin(short accountType);
|
||||
boolean isRootAdmin(long accountId);
|
||||
|
||||
User getActiveUserByRegistrationToken(String registrationToken);
|
||||
|
||||
|
||||
@ -88,7 +88,7 @@ public interface ResourceLimitService {
|
||||
* @param type
|
||||
* @return
|
||||
*/
|
||||
public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type);
|
||||
public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type);
|
||||
|
||||
/**
|
||||
* Finds the resource limit for a specified domain and type. If the domain has an infinite limit, will check
|
||||
|
||||
@ -473,16 +473,6 @@ public abstract class BaseCmd {
|
||||
return 0;
|
||||
}
|
||||
|
||||
public static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
public static boolean isRootAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN));
|
||||
}
|
||||
|
||||
public void setFullUrlParams(Map<String, String> map) {
|
||||
this.fullUrlParams = map;
|
||||
}
|
||||
|
||||
@ -81,7 +81,7 @@ public class BaseListTemplateOrIsoPermissionsCmd extends BaseCmd {
|
||||
List<String> accountNames = _templateService.listTemplatePermissions(this);
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
boolean isAdmin = (isAdmin(account.getType()));
|
||||
boolean isAdmin = (_accountService.isAdmin(account.getType()));
|
||||
|
||||
TemplatePermissionsResponse response = _responseGenerator.createTemplatePermissionsResponse(accountNames, id, isAdmin);
|
||||
response.setResponseName(getCommandName());
|
||||
|
||||
@ -121,7 +121,7 @@ public class CreateUserCmd extends BaseCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -96,7 +96,7 @@ public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -102,7 +102,7 @@ public class DeleteAffinityGroupCmd extends BaseAsyncCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -16,10 +16,6 @@
|
||||
// under the License.
|
||||
package org.apache.cloudstack.api.command.user.iso;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.cloudstack.api.APICommand;
|
||||
import org.apache.cloudstack.api.ApiCommandJobType;
|
||||
import org.apache.cloudstack.api.ApiConstants;
|
||||
@ -34,7 +30,6 @@ import org.apache.log4j.Logger;
|
||||
|
||||
import com.cloud.template.VirtualMachineTemplate.TemplateFilter;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.utils.Pair;
|
||||
|
||||
@APICommand(name = "listIsos", description="Lists all available ISO files.", responseObject=TemplateResponse.class)
|
||||
public class ListIsosCmd extends BaseListTaggedResourcesCmd {
|
||||
@ -119,7 +114,8 @@ public class ListIsosCmd extends BaseListTaggedResourcesCmd {
|
||||
public boolean listInReadyState() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
// It is account specific if account is admin type and domainId and accountName are not null
|
||||
boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType()))
|
||||
&& (getAccountName() != null) && (getDomainId() != null);
|
||||
// Show only those that are downloaded.
|
||||
TemplateFilter templateFilter = TemplateFilter.valueOf(getIsoFilter());
|
||||
boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable)
|
||||
|
||||
@ -101,7 +101,7 @@ public class UpdateResourceCountCmd extends BaseCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -93,7 +93,7 @@ public class CreateSecurityGroupCmd extends BaseCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -92,7 +92,7 @@ public class DeleteSSHKeyPairCmd extends BaseCmd {
|
||||
@Override
|
||||
public long getEntityOwnerId() {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if ((account == null) || isAdmin(account.getType())) {
|
||||
if ((account == null) || _accountService.isAdmin(account.getType())) {
|
||||
if ((domainId != null) && (accountName != null)) {
|
||||
Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId);
|
||||
if (userAccount != null) {
|
||||
|
||||
@ -16,10 +16,6 @@
|
||||
// under the License.
|
||||
package org.apache.cloudstack.api.command.user.template;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.cloudstack.api.APICommand;
|
||||
import org.apache.cloudstack.api.ApiCommandJobType;
|
||||
import org.apache.cloudstack.api.ApiConstants;
|
||||
@ -27,7 +23,6 @@ import org.apache.cloudstack.api.BaseListTaggedResourcesCmd;
|
||||
import org.apache.cloudstack.api.Parameter;
|
||||
import org.apache.cloudstack.api.response.ListResponse;
|
||||
import org.apache.cloudstack.api.response.TemplateResponse;
|
||||
import org.apache.cloudstack.api.response.VolumeResponse;
|
||||
import org.apache.cloudstack.api.response.ZoneResponse;
|
||||
import org.apache.cloudstack.context.CallContext;
|
||||
|
||||
@ -35,7 +30,6 @@ import org.apache.log4j.Logger;
|
||||
|
||||
import com.cloud.template.VirtualMachineTemplate.TemplateFilter;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.utils.Pair;
|
||||
|
||||
@APICommand(name = "listTemplates", description="List all public, private, and privileged templates.", responseObject=TemplateResponse.class)
|
||||
public class ListTemplatesCmd extends BaseListTaggedResourcesCmd {
|
||||
@ -98,7 +92,8 @@ public class ListTemplatesCmd extends BaseListTaggedResourcesCmd {
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
// It is account specific if account is admin type and domainId and accountName are not null
|
||||
boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null);
|
||||
boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType()))
|
||||
&& (getAccountName() != null) && (getDomainId() != null);
|
||||
// Show only those that are downloaded.
|
||||
TemplateFilter templateFilter = TemplateFilter.valueOf(getTemplateFilter());
|
||||
boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable)
|
||||
|
||||
@ -156,7 +156,7 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker,
|
||||
}
|
||||
Long accountId = user.getAccountId();
|
||||
Account account = _accountService.getAccount(accountId);
|
||||
if ( _accountService.isRootAdmin(account.getType())){
|
||||
if (_accountService.isRootAdmin(account.getId())) {
|
||||
// no API throttling on root admin
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -70,7 +70,7 @@ public class ApiRateLimitTest {
|
||||
testAccount = acct;
|
||||
|
||||
when(_accountService.getAccount(5L)).thenReturn(testAccount);
|
||||
when(_accountService.isRootAdmin(Account.ACCOUNT_TYPE_NORMAL)).thenReturn(false);
|
||||
when(_accountService.isRootAdmin(5L)).thenReturn(false);
|
||||
}
|
||||
|
||||
@Before
|
||||
|
||||
@ -51,7 +51,7 @@ public class AffinityGroupAccessChecker extends DomainChecker {
|
||||
|
||||
if (_affinityGroupService.isAdminControlledGroup(group)) {
|
||||
if (accessType != null && accessType == AccessType.ModifyEntry
|
||||
&& !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
&& !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException(caller + " does not have permission to operate with resource "
|
||||
+ entity);
|
||||
}
|
||||
|
||||
@ -41,6 +41,7 @@ import com.cloud.storage.LaunchPermissionVO;
|
||||
import com.cloud.storage.dao.LaunchPermissionDao;
|
||||
import com.cloud.template.VirtualMachineTemplate;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.user.User;
|
||||
import com.cloud.user.dao.AccountDao;
|
||||
import com.cloud.utils.component.AdapterBase;
|
||||
@ -57,6 +58,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
@Inject NetworkModel _networkMgr;
|
||||
@Inject
|
||||
private DedicatedResourceDao _dedicatedDao;
|
||||
@Inject
|
||||
AccountService _accountService;
|
||||
|
||||
protected DomainChecker() {
|
||||
super();
|
||||
@ -97,7 +100,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
Account owner = _accountDao.findById(template.getAccountId());
|
||||
// validate that the template is usable by the account
|
||||
if (!template.isPublicTemplate()) {
|
||||
if (BaseCmd.isRootAdmin(caller.getType()) || (owner.getId() == caller.getId())) {
|
||||
if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
|
||||
return true;
|
||||
}
|
||||
//special handling for the project case
|
||||
@ -114,7 +117,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
} else {
|
||||
// Domain admin and regular user can delete/modify only templates created by them
|
||||
if (accessType != null && accessType == AccessType.ModifyEntry) {
|
||||
if (!BaseCmd.isRootAdmin(caller.getType()) && owner.getId() != caller.getId()) {
|
||||
if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
|
||||
// For projects check if the caller account can access the project account
|
||||
if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
|
||||
throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
|
||||
@ -164,7 +167,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
return true;
|
||||
} else {
|
||||
//admin has all permissions
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountService.isRootAdmin(account.getId())) {
|
||||
return true;
|
||||
}
|
||||
//if account is normal user or domain admin
|
||||
@ -200,7 +203,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
return true;
|
||||
} else {
|
||||
//admin has all permissions
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountService.isRootAdmin(account.getId())) {
|
||||
return true;
|
||||
}
|
||||
//if account is normal user or domain admin
|
||||
@ -236,7 +239,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker {
|
||||
return true;
|
||||
} else {
|
||||
//admin has all permissions
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountService.isRootAdmin(account.getId())) {
|
||||
return true;
|
||||
}
|
||||
//if account is normal user
|
||||
|
||||
@ -696,8 +696,8 @@ public class ApiDBUtils {
|
||||
return _resourceLimitMgr.findCorrectResourceLimitForAccount(account, type);
|
||||
}
|
||||
|
||||
public static long findCorrectResourceLimit(Long limit, short accountType, ResourceType type) {
|
||||
return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountType, limit, type);
|
||||
public static long findCorrectResourceLimit(Long limit, long accountId, ResourceType type) {
|
||||
return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountId, limit, type);
|
||||
}
|
||||
|
||||
public static long getResourceCount(ResourceType type, long accountId) {
|
||||
|
||||
@ -681,7 +681,7 @@ public class ApiResponseHelper implements ResponseGenerator {
|
||||
|
||||
// show this info to admin only
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountMgr.isRootAdmin(account.getId())) {
|
||||
VlanVO vl = ApiDBUtils.findVlanById(ipAddr.getVlanId());
|
||||
if (vl != null) {
|
||||
ipResponse.setVlanId(vl.getUuid());
|
||||
@ -2176,7 +2176,8 @@ public class ApiResponseHelper implements ResponseGenerator {
|
||||
response.setReservedIpRange(reservation);
|
||||
|
||||
// return vlan information only to Root admin
|
||||
if (network.getBroadcastUri() != null && CallContext.current().getCallingAccount().getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (network.getBroadcastUri() != null
|
||||
&& _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
|
||||
String broadcastUri = network.getBroadcastUri().toString();
|
||||
response.setBroadcastUri(broadcastUri);
|
||||
String vlan = "N/A";
|
||||
|
||||
@ -409,7 +409,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
|
||||
} catch (InsufficientCapacityException ex){
|
||||
s_logger.info(ex.getMessage());
|
||||
String errorMsg = ex.getMessage();
|
||||
if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
|
||||
if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
|
||||
// hide internal details to non-admin user for security reason
|
||||
errorMsg = BaseCmd.USER_ERROR_MESSAGE;
|
||||
}
|
||||
@ -420,7 +420,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
|
||||
} catch (ResourceUnavailableException ex){
|
||||
s_logger.info(ex.getMessage());
|
||||
String errorMsg = ex.getMessage();
|
||||
if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
|
||||
if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
|
||||
// hide internal details to non-admin user for security reason
|
||||
errorMsg = BaseCmd.USER_ERROR_MESSAGE;
|
||||
}
|
||||
@ -431,7 +431,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
|
||||
} catch (Exception ex){
|
||||
s_logger.error("unhandled exception executing api command: " + ((command == null) ? "null" : command[0]), ex);
|
||||
String errorMsg = ex.getMessage();
|
||||
if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){
|
||||
if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) {
|
||||
// hide internal details to non-admin user for security reason
|
||||
errorMsg = BaseCmd.USER_ERROR_MESSAGE;
|
||||
}
|
||||
@ -565,7 +565,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer
|
||||
List<? extends AsyncJob> jobs = null;
|
||||
|
||||
// list all jobs for ROOT admin
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountMgr.isRootAdmin(account.getId())) {
|
||||
jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), null);
|
||||
} else {
|
||||
jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), account.getId());
|
||||
|
||||
@ -2234,7 +2234,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
||||
// if a domainId is provided, we just return the disk offering
|
||||
// associated with this domain
|
||||
if (domainId != null) {
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_ADMIN || isPermissible(account.getDomainId(), domainId)) {
|
||||
if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) {
|
||||
// check if the user's domain == do's domain || user's domain is
|
||||
// a child of so's domain for non-root users
|
||||
sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId);
|
||||
@ -2355,14 +2355,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
||||
Boolean isSystem = cmd.getIsSystem();
|
||||
String vmTypeStr = cmd.getSystemVmType();
|
||||
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && isSystem) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) {
|
||||
throw new InvalidParameterValueException("Only ROOT admins can access system's offering");
|
||||
}
|
||||
|
||||
// Keeping this logic consistent with domain specific zones
|
||||
// if a domainId is provided, we just return the so associated with this
|
||||
// domain
|
||||
if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
// check if the user's domain == so's domain || user's domain is a
|
||||
// child of so's domain
|
||||
if (!isPermissible(caller.getDomainId(), domainId)) {
|
||||
@ -2761,7 +2761,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService {
|
||||
}
|
||||
|
||||
// if template is not public, perform permission check here
|
||||
if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
Account owner = _accountMgr.getAccount(template.getAccountId());
|
||||
_accountMgr.checkAccess(caller, null, true, owner);
|
||||
}
|
||||
|
||||
@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
|
||||
import java.util.List;
|
||||
|
||||
import javax.ejb.Local;
|
||||
import javax.inject.Inject;
|
||||
|
||||
import org.apache.cloudstack.api.response.AccountResponse;
|
||||
import org.apache.cloudstack.api.response.ResourceLimitAndCountResponse;
|
||||
@ -32,6 +33,7 @@ import com.cloud.api.query.vo.AccountJoinVO;
|
||||
import com.cloud.api.query.vo.UserAccountJoinVO;
|
||||
import com.cloud.configuration.Resource.ResourceType;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountManager;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
@ -42,6 +44,8 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
|
||||
public static final Logger s_logger = Logger.getLogger(AccountJoinDaoImpl.class);
|
||||
|
||||
private SearchBuilder<AccountJoinVO> acctIdSearch;
|
||||
@Inject
|
||||
public AccountManager _accountMgr;
|
||||
|
||||
protected AccountJoinDaoImpl() {
|
||||
|
||||
@ -69,11 +73,11 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
|
||||
accountResponse.setBytesReceived(account.getBytesReceived());
|
||||
accountResponse.setBytesSent(account.getBytesSent());
|
||||
|
||||
boolean accountIsAdmin = (account.getType() == Account.ACCOUNT_TYPE_ADMIN);
|
||||
boolean accountIsAdmin = (_accountMgr.isRootAdmin(account.getId()));
|
||||
setResourceLimits(account, accountIsAdmin, accountResponse);
|
||||
|
||||
//get resource limits for projects
|
||||
long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getType(), ResourceType.project);
|
||||
long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getId(), ResourceType.project);
|
||||
String projectLimitDisplay = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit);
|
||||
long projectTotal = (account.getProjectTotal() == null) ? 0 : account.getProjectTotal();
|
||||
String projectAvail = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit - projectTotal);
|
||||
@ -103,7 +107,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase<AccountJoinVO, Long> impl
|
||||
@Override
|
||||
public void setResourceLimits(AccountJoinVO account, boolean accountIsAdmin, ResourceLimitAndCountResponse response) {
|
||||
// Get resource limits and counts
|
||||
long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getType(), ResourceType.user_vm);
|
||||
long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getId(), ResourceType.user_vm);
|
||||
String vmLimitDisplay = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit);
|
||||
long vmTotal = (account.getVmTotal() == null) ? 0 : account.getVmTotal();
|
||||
String vmAvail = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit - vmTotal);
|
||||
|
||||
@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
|
||||
import java.util.List;
|
||||
|
||||
import javax.ejb.Local;
|
||||
import javax.inject.Inject;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
@ -31,6 +32,7 @@ import org.apache.cloudstack.api.response.ZoneResponse;
|
||||
import org.apache.cloudstack.context.CallContext;
|
||||
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountManager;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
@ -44,6 +46,8 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase<DataCenterJoinVO, Long
|
||||
|
||||
|
||||
private SearchBuilder<DataCenterJoinVO> dofIdSearch;
|
||||
@Inject
|
||||
public AccountManager _accountMgr;
|
||||
|
||||
protected DataCenterJoinDaoImpl() {
|
||||
|
||||
@ -70,7 +74,7 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase<DataCenterJoinVO, Long
|
||||
zoneResponse.setDescription(dataCenter.getDescription());
|
||||
}
|
||||
|
||||
if ((account == null) || (account.getType() == Account.ACCOUNT_TYPE_ADMIN)) {
|
||||
if ((account == null) || (_accountMgr.isRootAdmin(account.getId()))) {
|
||||
zoneResponse.setDns1(dataCenter.getDns1());
|
||||
zoneResponse.setDns2(dataCenter.getDns2());
|
||||
zoneResponse.setIp6Dns1(dataCenter.getIp6Dns1());
|
||||
|
||||
@ -35,6 +35,7 @@ import com.cloud.network.Networks.TrafficType;
|
||||
import com.cloud.network.router.VirtualRouter;
|
||||
import com.cloud.network.router.VirtualRouter.Role;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountManager;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
@ -46,6 +47,8 @@ public class DomainRouterJoinDaoImpl extends GenericDaoBase<DomainRouterJoinVO,
|
||||
|
||||
@Inject
|
||||
private ConfigurationDao _configDao;
|
||||
@Inject
|
||||
public AccountManager _accountMgr;
|
||||
|
||||
private final SearchBuilder<DomainRouterJoinVO> vrSearch;
|
||||
|
||||
@ -78,7 +81,7 @@ public class DomainRouterJoinDaoImpl extends GenericDaoBase<DomainRouterJoinVO,
|
||||
routerResponse.setRedundantState(router.getRedundantState().toString());
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN
|
||||
|| caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
|| _accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (router.getHostId() != null) {
|
||||
routerResponse.setHostId(router.getHostUuid());
|
||||
routerResponse.setHostName(router.getHostName());
|
||||
|
||||
@ -44,6 +44,7 @@ import com.cloud.storage.VMTemplateHostVO;
|
||||
import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
|
||||
import com.cloud.template.VirtualMachineTemplate;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
@ -59,6 +60,8 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
|
||||
|
||||
@Inject
|
||||
private ConfigurationDao _configDao;
|
||||
@Inject
|
||||
public AccountService _accountService;
|
||||
|
||||
private final SearchBuilder<TemplateJoinVO> tmpltIdPairSearch;
|
||||
|
||||
@ -99,7 +102,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
|
||||
private String getTemplateStatus(TemplateJoinVO template){
|
||||
boolean isAdmin = false;
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if ((caller == null) || BaseCmd.isAdmin(caller.getType())) {
|
||||
if ((caller == null) || _accountService.isAdmin(caller.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
@ -319,7 +322,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase<TemplateJoinVO, Long> im
|
||||
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
boolean isAdmin = false;
|
||||
if ((caller == null) || BaseCmd.isAdmin(caller.getType())) {
|
||||
if ((caller == null) || _accountService.isAdmin(caller.getType())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
|
||||
|
||||
@ -41,6 +41,7 @@ import com.cloud.api.query.vo.ResourceTagJoinVO;
|
||||
import com.cloud.api.query.vo.UserVmJoinVO;
|
||||
import com.cloud.hypervisor.Hypervisor.HypervisorType;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountManager;
|
||||
import com.cloud.uservm.UserVm;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
@ -56,7 +57,8 @@ public class UserVmJoinDaoImpl extends GenericDaoBase<UserVmJoinVO, Long> implem
|
||||
|
||||
@Inject
|
||||
private ConfigurationDao _configDao;
|
||||
|
||||
@Inject
|
||||
public AccountManager _accountMgr;
|
||||
private final SearchBuilder<UserVmJoinVO> VmDetailSearch;
|
||||
private final SearchBuilder<UserVmJoinVO> activeVmByIsoSearch;
|
||||
|
||||
@ -121,7 +123,7 @@ public class UserVmJoinDaoImpl extends GenericDaoBase<UserVmJoinVO, Long> implem
|
||||
}
|
||||
userVmResponse.setZoneId(userVm.getDataCenterUuid());
|
||||
userVmResponse.setZoneName(userVm.getDataCenterName());
|
||||
if ((caller == null) || (caller.getType() == Account.ACCOUNT_TYPE_ADMIN)) {
|
||||
if ((caller == null) || (_accountMgr.isRootAdmin(caller.getId()))) {
|
||||
userVmResponse.setInstanceName(userVm.getInstanceName());
|
||||
userVmResponse.setHostId(userVm.getHostUuid());
|
||||
userVmResponse.setHostName(userVm.getHostName());
|
||||
|
||||
@ -39,6 +39,8 @@ import com.cloud.storage.VMTemplateHostVO;
|
||||
import com.cloud.storage.VMTemplateStorageResourceAssoc.Status;
|
||||
import com.cloud.storage.Volume;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountManager;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.utils.db.GenericDaoBase;
|
||||
import com.cloud.utils.db.SearchBuilder;
|
||||
import com.cloud.utils.db.SearchCriteria;
|
||||
@ -51,6 +53,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
|
||||
|
||||
@Inject
|
||||
private ConfigurationDao _configDao;
|
||||
@Inject
|
||||
public AccountManager _accountMgr;
|
||||
|
||||
private final SearchBuilder<VolumeJoinVO> volSearch;
|
||||
|
||||
@ -114,7 +118,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
|
||||
volResponse.setSize(volume.getVolumeStoreSize());
|
||||
volResponse.setCreated(volume.getCreatedOnStore());
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
|
||||
if (_accountMgr.isRootAdmin(caller.getId())
|
||||
|| caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
|
||||
volResponse.setHypervisor(ApiDBUtils.getHypervisorTypeFromFormat(volume.getFormat()).toString());
|
||||
if (volume.getDownloadState() != Status.DOWNLOADED) {
|
||||
String volumeStatus = "Processing";
|
||||
@ -171,7 +176,7 @@ public class VolumeJoinDaoImpl extends GenericDaoBase<VolumeJoinVO, Long> implem
|
||||
}
|
||||
|
||||
// return hypervisor and storage pool info for ROOT and Resource domain only
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
if (_accountMgr.isRootAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) {
|
||||
if (volume.getState() != Volume.State.UploadOp && volume.getHypervisorType() != null) {
|
||||
volResponse.setHypervisor(volume.getHypervisorType().toString());
|
||||
}
|
||||
|
||||
@ -1234,7 +1234,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
|
||||
DataCenterVO zone = _zoneDao.findById(zoneId);
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState()
|
||||
&& !_accountMgr.isRootAdmin(account.getType())) {
|
||||
&& !_accountMgr.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
|
||||
}
|
||||
|
||||
@ -2565,7 +2565,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati
|
||||
// Check if zone is enabled
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState()
|
||||
&& !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
&& !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
|
||||
}
|
||||
|
||||
|
||||
@ -1220,7 +1220,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy
|
||||
private boolean isRootAdmin(ReservationContext reservationContext) {
|
||||
if (reservationContext != null) {
|
||||
if (reservationContext.getAccount() != null) {
|
||||
return _accountMgr.isRootAdmin(reservationContext.getAccount().getType());
|
||||
return _accountMgr.isRootAdmin(reservationContext.getAccount().getId());
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -468,7 +468,7 @@ public class FirstFitPlanner extends PlannerBase implements DeploymentClusterPla
|
||||
private boolean isRootAdmin(ReservationContext reservationContext) {
|
||||
if(reservationContext != null){
|
||||
if(reservationContext.getAccount() != null){
|
||||
return _accountMgr.isRootAdmin(reservationContext.getAccount().getType());
|
||||
return _accountMgr.isRootAdmin(reservationContext.getAccount().getId());
|
||||
}else{
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -983,7 +983,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage
|
||||
VlanType vlanType = VlanType.VirtualNetwork;
|
||||
boolean assign = false;
|
||||
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
// zone is of type DataCenter. See DataCenterVO.java.
|
||||
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, " + "Zone is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "zoneId");
|
||||
|
||||
@ -1018,7 +1018,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
||||
}
|
||||
|
||||
if(displayNetwork != null){
|
||||
if(!_accountMgr.isRootAdmin(caller.getType())){
|
||||
if(!_accountMgr.isRootAdmin(caller.getId())){
|
||||
throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter");
|
||||
}
|
||||
}else{
|
||||
@ -1030,7 +1030,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
||||
throw new InvalidParameterValueException("Specified zone id was not found");
|
||||
}
|
||||
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
// See DataCenterVO.java
|
||||
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "zoneId");
|
||||
@ -1194,13 +1194,13 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
||||
}
|
||||
|
||||
// Don't allow to specify vlan if the caller is not ROOT admin
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && (ntwkOff.getSpecifyVlan() || vlanId != null)) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId()) && (ntwkOff.getSpecifyVlan() || vlanId != null)) {
|
||||
throw new InvalidParameterValueException("Only ROOT admin is allowed to specify vlanId");
|
||||
}
|
||||
|
||||
if (ipv4) {
|
||||
// For non-root admins check cidr limit - if it's allowed by global config value
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && cidr != null) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId()) && cidr != null) {
|
||||
|
||||
String[] cidrPair = cidr.split("\\/");
|
||||
int cidrSize = Integer.valueOf(cidrPair[1]);
|
||||
@ -1307,7 +1307,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
||||
ip6Gateway, ip6Cidr, displayNetwork, isolatedPvlan);
|
||||
}
|
||||
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN && createVlan) {
|
||||
if (_accountMgr.isRootAdmin(caller.getId()) && createVlan) {
|
||||
// Create vlan ip range
|
||||
_configMgr.createVlanAndPublicIpRange(pNtwk.getDataCenterId(), network.getId(), physicalNetworkId,
|
||||
false, null, startIP, endIP, gateway, netmask, vlanId, null, startIPv6, endIPv6, ip6Gateway, ip6Cidr);
|
||||
@ -1960,7 +1960,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService {
|
||||
}
|
||||
|
||||
if(displayNetwork != null){
|
||||
if(!_accountMgr.isRootAdmin(callerAccount.getType())){
|
||||
if (!_accountMgr.isRootAdmin(callerAccount.getId())) {
|
||||
throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter");
|
||||
}
|
||||
network.setDisplayNetwork(displayNetwork);
|
||||
|
||||
@ -695,7 +695,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService,
|
||||
throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.Firewall);
|
||||
}
|
||||
|
||||
if (rule.getType() == FirewallRuleType.System && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (rule.getType() == FirewallRuleType.System && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule");
|
||||
}
|
||||
|
||||
|
||||
@ -612,7 +612,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis
|
||||
throw new InvalidParameterValueException("Can't find zone by id specified");
|
||||
}
|
||||
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
// See DataCenterVO.java
|
||||
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "zoneId");
|
||||
|
||||
@ -417,7 +417,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
|
||||
@Override
|
||||
public boolean canAccessProjectAccount(Account caller, long accountId) {
|
||||
//ROOT admin always can access the project
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountMgr.isRootAdmin(caller.getId())) {
|
||||
return true;
|
||||
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
Account owner = _accountMgr.getAccount(accountId);
|
||||
@ -431,7 +431,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager {
|
||||
@Override
|
||||
public boolean canModifyProjectAccount(Account caller, long accountId) {
|
||||
//ROOT admin always can access the project
|
||||
if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (_accountMgr.isRootAdmin(caller.getId())) {
|
||||
return true;
|
||||
} else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
|
||||
Account owner = _accountMgr.getAccount(accountId);
|
||||
|
||||
@ -368,7 +368,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
|
||||
}
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
|
||||
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "dcId");
|
||||
throw ex;
|
||||
@ -591,7 +591,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager,
|
||||
}
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
|
||||
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "dcId");
|
||||
throw ex;
|
||||
|
||||
@ -263,7 +263,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
||||
long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited
|
||||
|
||||
// No limits for Root Admin accounts
|
||||
if (_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (_accountMgr.isRootAdmin(account.getId())) {
|
||||
return max;
|
||||
}
|
||||
|
||||
@ -293,15 +293,16 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
||||
}
|
||||
|
||||
@Override
|
||||
public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type) {
|
||||
public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type) {
|
||||
|
||||
long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited
|
||||
|
||||
// No limits for Root Admin accounts
|
||||
if (_accountMgr.isRootAdmin(accountType)) {
|
||||
if (_accountMgr.isRootAdmin(accountId)) {
|
||||
return max;
|
||||
}
|
||||
|
||||
Account account = _accountDao.findById(accountId);
|
||||
|
||||
// Check if limit is configured for account
|
||||
if (limit != null) {
|
||||
@ -309,7 +310,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
||||
} else {
|
||||
// If the account has an no limit set, then return global default account limits
|
||||
Long value = null;
|
||||
if (accountType == Account.ACCOUNT_TYPE_PROJECT) {
|
||||
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
|
||||
value = projectResourceLimitMap.get(type);
|
||||
} else {
|
||||
value = accountResourceLimitMap.get(type);
|
||||
@ -366,7 +367,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
||||
Project project = null;
|
||||
|
||||
// Don't place any limits on system or root admin accounts
|
||||
if (_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (_accountMgr.isRootAdmin(account.getId())) {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -605,7 +606,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim
|
||||
}
|
||||
|
||||
//only Unlimited value is accepted if account is Root Admin
|
||||
if (_accountMgr.isRootAdmin(account.getType()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) {
|
||||
if (_accountMgr.isRootAdmin(account.getId()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) {
|
||||
throw new InvalidParameterValueException("Only " + ResourceLimit.RESOURCE_UNLIMITED + " limit is supported for Root Admin accounts");
|
||||
}
|
||||
|
||||
|
||||
@ -1030,7 +1030,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
|
||||
listHostsForMigrationOfVM(Long vmId, Long startIndex, Long pageSize) {
|
||||
// access check - only root admin can migrate VM
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
|
||||
}
|
||||
@ -1240,7 +1240,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
|
||||
public Pair<List<? extends StoragePool>, List<? extends StoragePool>> listStoragePoolsForMigrationOfVolume(Long volumeId) {
|
||||
// Access check - only root administrator can migrate volumes.
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Caller is not a root admin, permission denied to migrate the volume");
|
||||
}
|
||||
@ -1826,7 +1826,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
|
||||
_accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template);
|
||||
|
||||
if(cmd.isRoutingType() != null){
|
||||
if(!_accountService.isRootAdmin(account.getType())){
|
||||
if (!_accountService.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
}
|
||||
@ -2477,13 +2477,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe
|
||||
|
||||
}
|
||||
|
||||
public static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
|
||||
|| (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public List<Class<?>> getCommands() {
|
||||
List<Class<?>> cmdList = new ArrayList<Class<?>>();
|
||||
|
||||
@ -465,7 +465,7 @@ public class ConsoleProxyServlet extends HttpServlet {
|
||||
}
|
||||
|
||||
// root admin can access anything
|
||||
if(accountObj.getType() == Account.ACCOUNT_TYPE_ADMIN)
|
||||
if (_accountMgr.isRootAdmin(accountObj.getId()))
|
||||
return true;
|
||||
|
||||
switch(vm.getType())
|
||||
|
||||
@ -631,7 +631,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
|
||||
}
|
||||
// Check if zone is disabled
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
|
||||
}
|
||||
|
||||
@ -1675,7 +1675,8 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
|
||||
}
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState()
|
||||
&& !_accountMgr.isRootAdmin(account.getId())) {
|
||||
PermissionDeniedException ex = new PermissionDeniedException(
|
||||
"Cannot perform this operation, Zone with specified id is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "dcId");
|
||||
@ -1828,7 +1829,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C
|
||||
}
|
||||
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
|
||||
PermissionDeniedException ex = new PermissionDeniedException(
|
||||
"Cannot perform this operation, Zone with specified id is currently disabled");
|
||||
ex.addProxyObject(zone.getUuid(), "dcId");
|
||||
|
||||
@ -360,7 +360,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
}
|
||||
|
||||
// Check if zone is disabled
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
|
||||
}
|
||||
|
||||
@ -572,7 +572,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
if (displayVolumeEnabled == null) {
|
||||
displayVolumeEnabled = true;
|
||||
} else {
|
||||
if (!_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
|
||||
}
|
||||
}
|
||||
@ -587,7 +587,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
}
|
||||
|
||||
// Check if zone is disabled
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
|
||||
}
|
||||
|
||||
@ -1352,7 +1352,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
throw new InvalidParameterValueException("Can't find zone by id " + volume.getDataCenterId());
|
||||
}
|
||||
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zone.getName());
|
||||
}
|
||||
|
||||
@ -1383,7 +1383,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
String mode = cmd.getMode();
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
|
||||
if (!_accountMgr.isRootAdmin(account.getType()) && ApiDBUtils.isExtractionDisabled()) {
|
||||
if (!_accountMgr.isRootAdmin(account.getId()) && ApiDBUtils.isExtractionDisabled()) {
|
||||
throw new PermissionDeniedException("Extraction has been disabled by admin");
|
||||
}
|
||||
|
||||
@ -1421,7 +1421,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic
|
||||
// we allow extraction of all ISO based
|
||||
// volumes
|
||||
boolean isExtractable = template.isExtractable() && template.getTemplateType() != Storage.TemplateType.SYSTEM;
|
||||
if (!isExtractable && account != null && account.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!isExtractable && account != null && !_accountMgr.isRootAdmin(account.getId())) {
|
||||
// Global admins are always allowed to extract
|
||||
PermissionDeniedException ex = new PermissionDeniedException("The volume with specified volumeId is not allowed to be extracted");
|
||||
ex.addProxyObject(volume.getUuid(), "volumeId");
|
||||
|
||||
@ -764,7 +764,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager,
|
||||
long accountLimit = _resourceLimitMgr.findCorrectResourceLimitForAccount(owner, ResourceType.snapshot);
|
||||
long domainLimit = _resourceLimitMgr.findCorrectResourceLimitForDomain(_domainMgr.getDomain(owner.getDomainId()), ResourceType.snapshot);
|
||||
int max = cmd.getMaxSnaps().intValue();
|
||||
if (owner.getType() != Account.ACCOUNT_TYPE_ADMIN && ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) {
|
||||
if (!_accountMgr.isRootAdmin(owner.getId())&& ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) {
|
||||
String message = "domain/account";
|
||||
if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT) {
|
||||
message = "domain/project";
|
||||
|
||||
@ -95,13 +95,6 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
||||
return true;
|
||||
}
|
||||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) ||
|
||||
(accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
@Override
|
||||
public TemplateProfile prepare(boolean isIso, Long userId, String name, String displayText, Integer bits,
|
||||
Boolean passwordEnabled, Boolean requiresHVM, String url, Boolean isPublic, Boolean featured,
|
||||
@ -158,7 +151,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
||||
sshkeyEnabled = Boolean.FALSE;
|
||||
}
|
||||
|
||||
boolean isAdmin = _accountDao.findById(templateOwner.getId()).getType() == Account.ACCOUNT_TYPE_ADMIN;
|
||||
boolean isAdmin = _accountMgr.isRootAdmin(templateOwner.getId());
|
||||
|
||||
if (!isAdmin && zoneId == null) {
|
||||
throw new InvalidParameterValueException("Please specify a valid zone Id.");
|
||||
@ -191,7 +184,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
||||
|
||||
_resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.template);
|
||||
|
||||
if (templateOwner.getType() != Account.ACCOUNT_TYPE_ADMIN && zoneId == null) {
|
||||
if (!_accountMgr.isRootAdmin(templateOwner.getId()) && zoneId == null) {
|
||||
throw new IllegalArgumentException("Only admins can create templates in all zones");
|
||||
}
|
||||
|
||||
@ -202,7 +195,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
||||
throw new IllegalArgumentException("Please specify a valid zone.");
|
||||
}
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())){
|
||||
if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())){
|
||||
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: "+ zoneId );
|
||||
}
|
||||
}
|
||||
@ -298,7 +291,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat
|
||||
throws PermissionDeniedException {
|
||||
|
||||
if (account != null) {
|
||||
if (!isAdmin(account.getType())) {
|
||||
if (!_accountMgr.isAdmin(account.getType())) {
|
||||
if ((vmInstanceCheck != null) && (account.getId() != vmInstanceCheck.getAccountId())) {
|
||||
throw new PermissionDeniedException(msg + ". Permission denied.");
|
||||
}
|
||||
|
||||
@ -334,12 +334,12 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
public VirtualMachineTemplate registerTemplate(RegisterTemplateCmd cmd) throws URISyntaxException, ResourceAllocationException {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (cmd.getTemplateTag() != null) {
|
||||
if (!_accountService.isRootAdmin(account.getType())) {
|
||||
if (!_accountService.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
}
|
||||
if(cmd.isRoutingType() != null){
|
||||
if(!_accountService.isRootAdmin(account.getType())){
|
||||
if (!_accountService.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
}
|
||||
@ -422,7 +422,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
}
|
||||
eventId = eventId == null ? 0 : eventId;
|
||||
|
||||
if (!_accountMgr.isRootAdmin(caller.getType()) && _disableExtraction) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId()) && _disableExtraction) {
|
||||
throw new PermissionDeniedException("Extraction has been disabled by admin");
|
||||
}
|
||||
|
||||
@ -453,7 +453,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
throw new IllegalArgumentException("Please specify a valid zone.");
|
||||
}
|
||||
|
||||
if (!_accountMgr.isRootAdmin(caller.getType()) && !template.isExtractable()) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId()) && !template.isExtractable()) {
|
||||
throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable");
|
||||
}
|
||||
|
||||
@ -1248,7 +1248,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
updatedTemplate.setFeatured(isFeatured.booleanValue());
|
||||
}
|
||||
|
||||
if (isExtractable != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {// Only
|
||||
if (isExtractable != null && _accountMgr.isRootAdmin(caller.getId())) {// Only
|
||||
// ROOT
|
||||
// admins
|
||||
// allowed
|
||||
@ -1258,7 +1258,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
// powerful
|
||||
// attribute
|
||||
updatedTemplate.setExtractable(isExtractable.booleanValue());
|
||||
} else if (isExtractable != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
} else if (isExtractable != null && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new InvalidParameterValueException("Only ROOT admins are allowed to modify this attribute.");
|
||||
}
|
||||
|
||||
@ -1438,18 +1438,13 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean isAdmin(short accountType) {
|
||||
return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN)
|
||||
|| (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN));
|
||||
}
|
||||
|
||||
@Override
|
||||
@ActionEvent(eventType = EventTypes.EVENT_TEMPLATE_CREATE, eventDescription = "creating template", create = true)
|
||||
public VMTemplateVO createPrivateTemplateRecord(CreateTemplateCmd cmd, Account templateOwner) throws ResourceAllocationException {
|
||||
Long userId = CallContext.current().getCallingUserId();
|
||||
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
boolean isAdmin = (isAdmin(caller.getType()));
|
||||
boolean isAdmin = (_accountMgr.isAdmin(caller.getType()));
|
||||
|
||||
_accountMgr.checkAccess(caller, null, true, templateOwner);
|
||||
|
||||
@ -1459,7 +1454,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
}
|
||||
|
||||
if (cmd.getTemplateTag() != null) {
|
||||
if (!_accountService.isRootAdmin(caller.getType())) {
|
||||
if (!_accountService.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
}
|
||||
@ -1722,7 +1717,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager,
|
||||
// do a permission check
|
||||
_accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template);
|
||||
if(cmd.isRoutingType() != null){
|
||||
if(!_accountService.isRootAdmin(account.getType())){
|
||||
if (!_accountService.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
}
|
||||
|
||||
@ -47,6 +47,7 @@ import com.cloud.projects.ProjectManager;
|
||||
import com.cloud.usage.dao.UsageDao;
|
||||
import com.cloud.usage.dao.UsageJobDao;
|
||||
import com.cloud.user.Account;
|
||||
import com.cloud.user.AccountService;
|
||||
import com.cloud.user.AccountVO;
|
||||
import com.cloud.user.dao.AccountDao;
|
||||
import com.cloud.utils.component.Manager;
|
||||
@ -69,6 +70,8 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
|
||||
@Inject private ConfigurationDao _configDao;
|
||||
@Inject private ProjectManager _projectMgr;
|
||||
private TimeZone _usageTimezone;
|
||||
@Inject
|
||||
private AccountService _accountService;
|
||||
|
||||
public UsageServiceImpl() {
|
||||
}
|
||||
@ -156,7 +159,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag
|
||||
accountId = caller.getId();
|
||||
//List records for all the accounts if the caller account is of type admin.
|
||||
//If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin
|
||||
if(caller.getType() == Account.ACCOUNT_TYPE_ADMIN){
|
||||
if (_accountService.isRootAdmin(caller.getId())) {
|
||||
isAdmin = true;
|
||||
}
|
||||
s_logger.debug("Account details not available. Using userContext accountId: " + accountId);
|
||||
|
||||
@ -344,16 +344,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isRootAdmin(short accountType) {
|
||||
return (accountType == Account.ACCOUNT_TYPE_ADMIN);
|
||||
public boolean isRootAdmin(long accountId) {
|
||||
// refer to account_group_map and check if account is in Root 'Admin'
|
||||
// group
|
||||
return false;
|
||||
}
|
||||
|
||||
public boolean isResourceDomainAdmin(short accountType) {
|
||||
return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN);
|
||||
}
|
||||
|
||||
public boolean isInternalAccount(short accountType) {
|
||||
if (isRootAdmin(accountType) || (accountType == Account.ACCOUNT_ID_SYSTEM)) {
|
||||
public boolean isInternalAccount(long accountId) {
|
||||
Account account = _accountDao.findById(accountId);
|
||||
if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
@ -377,7 +380,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
||||
@Override
|
||||
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) {
|
||||
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) {
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
|
||||
// no need to make permission checks if the system/root admin makes the call
|
||||
if (s_logger.isTraceEnabled()) {
|
||||
s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
|
||||
@ -1973,7 +1976,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
||||
// return null;
|
||||
}
|
||||
// Whenever the user is able to log in successfully, reset the login attempts to zero
|
||||
if(!isInternalAccount(userAccount.getType()))
|
||||
if (!isInternalAccount(userAccount.getId()))
|
||||
updateLoginAttempts(userAccount.getId(), 0, false);
|
||||
|
||||
return userAccount;
|
||||
@ -2230,7 +2233,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M
|
||||
} else if (!listAll) {
|
||||
if (id == null) {
|
||||
permittedAccounts.add(caller.getId());
|
||||
} else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
} else if (!isRootAdmin(caller.getId())) {
|
||||
domainIdRecursiveListProject.first(caller.getDomainId());
|
||||
domainIdRecursiveListProject.second(true);
|
||||
}
|
||||
|
||||
@ -431,7 +431,7 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager, Dom
|
||||
}
|
||||
_accountMgr.checkAccess(caller, domain);
|
||||
} else {
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
domainId = caller.getDomainId();
|
||||
}
|
||||
if (listAll) {
|
||||
|
||||
@ -1800,7 +1800,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
if (isDisplayVmEnabled == null) {
|
||||
isDisplayVmEnabled = vmInstance.isDisplayVm();
|
||||
} else{
|
||||
if(!_accountMgr.isRootAdmin(caller.getType())){
|
||||
if(!_accountMgr.isRootAdmin(caller.getId())){
|
||||
throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted ");
|
||||
}
|
||||
}
|
||||
@ -2471,7 +2471,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
assert !(requestedIps != null && (defaultIps.getIp4Address() != null || defaultIps.getIp6Address() != null)) : "requestedIp list and defaultNetworkIp should never be specified together";
|
||||
|
||||
if (Grouping.AllocationState.Disabled == zone.getAllocationState()
|
||||
&& !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
&& !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException(
|
||||
"Cannot perform this operation, Zone is currently disabled: "
|
||||
+ zone.getId());
|
||||
@ -2540,7 +2540,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
// Root admin has access to both VM and AG by default,
|
||||
// but
|
||||
// make sure the owner of these entities is same
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) {
|
||||
throw new PermissionDeniedException("Affinity Group " + ag
|
||||
+ " does not belong to the VM's domain");
|
||||
@ -2551,7 +2551,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
// Root admin has access to both VM and AG by default,
|
||||
// but
|
||||
// make sure the owner of these entities is same
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (ag.getAccountId() != owner.getAccountId()) {
|
||||
throw new PermissionDeniedException("Affinity Group " + ag
|
||||
+ " does not belong to the VM's account");
|
||||
@ -2776,7 +2776,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
}
|
||||
|
||||
if(isDisplayVmEnabled != null){
|
||||
if(!_accountMgr.isRootAdmin(caller.getType())){
|
||||
if(!_accountMgr.isRootAdmin(caller.getId())){
|
||||
throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted ");
|
||||
}
|
||||
vm.setDisplayVm(isDisplayVmEnabled);
|
||||
@ -3264,7 +3264,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
Host destinationHost = null;
|
||||
if (hostId != null) {
|
||||
Account account = CallContext.current().getCallingAccount();
|
||||
if (!_accountService.isRootAdmin(account.getType())) {
|
||||
if (!_accountService.isRootAdmin(account.getId())) {
|
||||
throw new PermissionDeniedException(
|
||||
"Parameter hostid can only be specified by a Root Admin, permission denied");
|
||||
}
|
||||
@ -3759,7 +3759,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
public VirtualMachine vmStorageMigration(Long vmId, StoragePool destPool) {
|
||||
// access check - only root admin can migrate VM
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
|
||||
}
|
||||
@ -3832,7 +3832,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
ManagementServerException, VirtualMachineMigrationException {
|
||||
// access check - only root admin can migrate VM
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
|
||||
}
|
||||
@ -4162,7 +4162,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
ManagementServerException, VirtualMachineMigrationException {
|
||||
// Access check - only root administrator can migrate VM.
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (s_logger.isDebugEnabled()) {
|
||||
s_logger.debug("Caller is not a root admin, permission denied to migrate the VM");
|
||||
}
|
||||
@ -4289,7 +4289,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir
|
||||
|
||||
// VV 1: verify the two users
|
||||
Account caller = CallContext.current().getCallingAccount();
|
||||
if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())
|
||||
&& caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only
|
||||
// root
|
||||
// admin
|
||||
|
||||
@ -161,7 +161,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
|
||||
|
||||
AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
|
||||
|
||||
if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) {
|
||||
throw new PermissionDeniedException("Cannot create the affinity group");
|
||||
}
|
||||
|
||||
@ -176,7 +176,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
|
||||
|
||||
} else if (domainId != null && account == null) {
|
||||
|
||||
if (!_accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (!_accountMgr.isRootAdmin(caller.getId())) {
|
||||
// non root admin need to pass both account and domain
|
||||
throw new InvalidParameterValueException(
|
||||
"Unable to create affinity group, account name must be passed with the domainId");
|
||||
@ -484,7 +484,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro
|
||||
_accountMgr.checkAccess(caller, null, true, owner, ag);
|
||||
// Root admin has access to both VM and AG by default, but make sure the
|
||||
// owner of these entities is same
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) {
|
||||
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) {
|
||||
if (ag.getAccountId() != owner.getAccountId()) {
|
||||
throw new PermissionDeniedException("Affinity Group " + ag
|
||||
+ " does not belong to the VM's account");
|
||||
|
||||
@ -163,7 +163,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isRootAdmin(short accountType) {
|
||||
public boolean isRootAdmin(long accountId) {
|
||||
// TODO Auto-generated method stub
|
||||
return false;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user