From aba54356d58fcc217b804f51d21e5af69a6b106f Mon Sep 17 00:00:00 2001 From: Prachi Damle Date: Tue, 24 Sep 2013 15:30:31 -0700 Subject: [PATCH] Account_Type Refactoring for Root Admin Role - change the AccountService::isRootAdmin(short) to isRootAdmin(long accountId); - Change all callers - Change all places that check the account.getType() directly to call the AccountManagerImpl. --- api/src/com/cloud/user/Account.java | 7 ------ api/src/com/cloud/user/AccountService.java | 2 +- .../com/cloud/user/ResourceLimitService.java | 2 +- .../org/apache/cloudstack/api/BaseCmd.java | 10 -------- .../BaseListTemplateOrIsoPermissionsCmd.java | 2 +- .../api/command/admin/user/CreateUserCmd.java | 2 +- .../affinitygroup/CreateAffinityGroupCmd.java | 2 +- .../affinitygroup/DeleteAffinityGroupCmd.java | 2 +- .../api/command/user/iso/ListIsosCmd.java | 8 ++----- .../user/resource/UpdateResourceCountCmd.java | 2 +- .../securitygroup/CreateSecurityGroupCmd.java | 2 +- .../command/user/ssh/DeleteSSHKeyPairCmd.java | 2 +- .../user/template/ListTemplatesCmd.java | 9 ++------ .../ratelimit/ApiRateLimitServiceImpl.java | 2 +- .../ratelimit/ApiRateLimitTest.java | 2 +- .../cloud/acl/AffinityGroupAccessChecker.java | 2 +- server/src/com/cloud/acl/DomainChecker.java | 13 +++++++---- server/src/com/cloud/api/ApiDBUtils.java | 4 ++-- .../src/com/cloud/api/ApiResponseHelper.java | 5 ++-- server/src/com/cloud/api/ApiServer.java | 8 +++---- .../com/cloud/api/query/QueryManagerImpl.java | 8 +++---- .../api/query/dao/AccountJoinDaoImpl.java | 10 +++++--- .../api/query/dao/DataCenterJoinDaoImpl.java | 6 ++++- .../query/dao/DomainRouterJoinDaoImpl.java | 5 +++- .../api/query/dao/TemplateJoinDaoImpl.java | 7 ++++-- .../api/query/dao/UserVmJoinDaoImpl.java | 6 +++-- .../api/query/dao/VolumeJoinDaoImpl.java | 9 ++++++-- .../ConfigurationManagerImpl.java | 4 ++-- .../deploy/DeploymentPlanningManagerImpl.java | 2 +- .../src/com/cloud/deploy/FirstFitPlanner.java | 2 +- .../cloud/network/IpAddressManagerImpl.java | 2 +- .../com/cloud/network/NetworkServiceImpl.java | 12 +++++----- .../network/firewall/FirewallManagerImpl.java | 2 +- .../com/cloud/network/vpc/VpcManagerImpl.java | 2 +- .../cloud/projects/ProjectManagerImpl.java | 4 ++-- .../cloud/resource/ResourceManagerImpl.java | 4 ++-- .../ResourceLimitManagerImpl.java | 13 ++++++----- .../cloud/server/ManagementServerImpl.java | 13 +++-------- .../cloud/servlet/ConsoleProxyServlet.java | 2 +- .../com/cloud/storage/StorageManagerImpl.java | 7 +++--- .../cloud/storage/VolumeApiServiceImpl.java | 12 +++++----- .../storage/snapshot/SnapshotManagerImpl.java | 2 +- .../cloud/template/TemplateAdapterBase.java | 15 ++++-------- .../cloud/template/TemplateManagerImpl.java | 23 ++++++++----------- .../src/com/cloud/usage/UsageServiceImpl.java | 5 +++- .../com/cloud/user/AccountManagerImpl.java | 17 ++++++++------ .../src/com/cloud/user/DomainManagerImpl.java | 2 +- .../src/com/cloud/vm/UserVmManagerImpl.java | 20 ++++++++-------- .../affinity/AffinityGroupServiceImpl.java | 6 ++--- .../cloud/user/MockAccountManagerImpl.java | 2 +- 50 files changed, 150 insertions(+), 162 deletions(-) diff --git a/api/src/com/cloud/user/Account.java b/api/src/com/cloud/user/Account.java index 940a0eb2667..a558cfb6d99 100755 --- a/api/src/com/cloud/user/Account.java +++ b/api/src/com/cloud/user/Account.java @@ -24,13 +24,6 @@ import org.apache.cloudstack.api.InternalIdentity; public interface Account extends ControlledEntity, InternalIdentity, Identity { - public enum Type { - Normal, - Admin, - DomainAdmin, - CustomerCare, - Project - } public enum State { disabled, diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 8153a3f1af6..2101d1e525d 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java @@ -86,7 +86,7 @@ public interface AccountService { User getUserIncludingRemoved(long userId); - boolean isRootAdmin(short accountType); + boolean isRootAdmin(long accountId); User getActiveUserByRegistrationToken(String registrationToken); diff --git a/api/src/com/cloud/user/ResourceLimitService.java b/api/src/com/cloud/user/ResourceLimitService.java index bec65d5b7e8..b36f0531a37 100644 --- a/api/src/com/cloud/user/ResourceLimitService.java +++ b/api/src/com/cloud/user/ResourceLimitService.java @@ -88,7 +88,7 @@ public interface ResourceLimitService { * @param type * @return */ - public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type); + public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type); /** * Finds the resource limit for a specified domain and type. If the domain has an infinite limit, will check diff --git a/api/src/org/apache/cloudstack/api/BaseCmd.java b/api/src/org/apache/cloudstack/api/BaseCmd.java index 781b692fa64..d90fe7cda4d 100644 --- a/api/src/org/apache/cloudstack/api/BaseCmd.java +++ b/api/src/org/apache/cloudstack/api/BaseCmd.java @@ -473,16 +473,6 @@ public abstract class BaseCmd { return 0; } - public static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); - } - - public static boolean isRootAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN)); - } - public void setFullUrlParams(Map map) { this.fullUrlParams = map; } diff --git a/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java b/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java index 88732ae6bf8..caac2844850 100644 --- a/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java +++ b/api/src/org/apache/cloudstack/api/BaseListTemplateOrIsoPermissionsCmd.java @@ -81,7 +81,7 @@ public class BaseListTemplateOrIsoPermissionsCmd extends BaseCmd { List accountNames = _templateService.listTemplatePermissions(this); Account account = CallContext.current().getCallingAccount(); - boolean isAdmin = (isAdmin(account.getType())); + boolean isAdmin = (_accountService.isAdmin(account.getType())); TemplatePermissionsResponse response = _responseGenerator.createTemplatePermissionsResponse(accountNames, id, isAdmin); response.setResponseName(getCommandName()); diff --git a/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java b/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java index 378d6362a93..ee88c0cb542 100644 --- a/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java +++ b/api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java @@ -121,7 +121,7 @@ public class CreateUserCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java index 59b9f17d0da..27235392909 100644 --- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/CreateAffinityGroupCmd.java @@ -96,7 +96,7 @@ public class CreateAffinityGroupCmd extends BaseAsyncCreateCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java index 0fa8b2bb647..df9626a7f41 100644 --- a/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/affinitygroup/DeleteAffinityGroupCmd.java @@ -102,7 +102,7 @@ public class DeleteAffinityGroupCmd extends BaseAsyncCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java b/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java index c3f558bd249..a1fece594aa 100644 --- a/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/iso/ListIsosCmd.java @@ -16,10 +16,6 @@ // under the License. package org.apache.cloudstack.api.command.user.iso; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; - import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -34,7 +30,6 @@ import org.apache.log4j.Logger; import com.cloud.template.VirtualMachineTemplate.TemplateFilter; import com.cloud.user.Account; -import com.cloud.utils.Pair; @APICommand(name = "listIsos", description="Lists all available ISO files.", responseObject=TemplateResponse.class) public class ListIsosCmd extends BaseListTaggedResourcesCmd { @@ -119,7 +114,8 @@ public class ListIsosCmd extends BaseListTaggedResourcesCmd { public boolean listInReadyState() { Account account = CallContext.current().getCallingAccount(); // It is account specific if account is admin type and domainId and accountName are not null - boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null); + boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) + && (getAccountName() != null) && (getDomainId() != null); // Show only those that are downloaded. TemplateFilter templateFilter = TemplateFilter.valueOf(getIsoFilter()); boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable) diff --git a/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java b/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java index 9c726d13912..a21a1f0a86f 100644 --- a/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/resource/UpdateResourceCountCmd.java @@ -101,7 +101,7 @@ public class UpdateResourceCountCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java b/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java index 2d7396eb6e4..d1658b4274f 100644 --- a/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/securitygroup/CreateSecurityGroupCmd.java @@ -93,7 +93,7 @@ public class CreateSecurityGroupCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java b/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java index eb2d2379604..0b3999f5d0e 100644 --- a/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/ssh/DeleteSSHKeyPairCmd.java @@ -92,7 +92,7 @@ public class DeleteSSHKeyPairCmd extends BaseCmd { @Override public long getEntityOwnerId() { Account account = CallContext.current().getCallingAccount(); - if ((account == null) || isAdmin(account.getType())) { + if ((account == null) || _accountService.isAdmin(account.getType())) { if ((domainId != null) && (accountName != null)) { Account userAccount = _responseGenerator.findAccountByNameDomain(accountName, domainId); if (userAccount != null) { diff --git a/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java b/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java index 4b349092125..30960f1ff19 100644 --- a/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java +++ b/api/src/org/apache/cloudstack/api/command/user/template/ListTemplatesCmd.java @@ -16,10 +16,6 @@ // under the License. package org.apache.cloudstack.api.command.user.template; -import java.util.ArrayList; -import java.util.List; -import java.util.Set; - import org.apache.cloudstack.api.APICommand; import org.apache.cloudstack.api.ApiCommandJobType; import org.apache.cloudstack.api.ApiConstants; @@ -27,7 +23,6 @@ import org.apache.cloudstack.api.BaseListTaggedResourcesCmd; import org.apache.cloudstack.api.Parameter; import org.apache.cloudstack.api.response.ListResponse; import org.apache.cloudstack.api.response.TemplateResponse; -import org.apache.cloudstack.api.response.VolumeResponse; import org.apache.cloudstack.api.response.ZoneResponse; import org.apache.cloudstack.context.CallContext; @@ -35,7 +30,6 @@ import org.apache.log4j.Logger; import com.cloud.template.VirtualMachineTemplate.TemplateFilter; import com.cloud.user.Account; -import com.cloud.utils.Pair; @APICommand(name = "listTemplates", description="List all public, private, and privileged templates.", responseObject=TemplateResponse.class) public class ListTemplatesCmd extends BaseListTaggedResourcesCmd { @@ -98,7 +92,8 @@ public class ListTemplatesCmd extends BaseListTaggedResourcesCmd { Account account = CallContext.current().getCallingAccount(); // It is account specific if account is admin type and domainId and accountName are not null - boolean isAccountSpecific = (account == null || isAdmin(account.getType())) && (getAccountName() != null) && (getDomainId() != null); + boolean isAccountSpecific = (account == null || _accountService.isAdmin(account.getType())) + && (getAccountName() != null) && (getDomainId() != null); // Show only those that are downloaded. TemplateFilter templateFilter = TemplateFilter.valueOf(getTemplateFilter()); boolean onlyReady = (templateFilter == TemplateFilter.featured) || (templateFilter == TemplateFilter.selfexecutable) || (templateFilter == TemplateFilter.sharedexecutable) diff --git a/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java b/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java index 1e32e845496..1540ef4ef8a 100644 --- a/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java +++ b/plugins/api/rate-limit/src/org/apache/cloudstack/ratelimit/ApiRateLimitServiceImpl.java @@ -156,7 +156,7 @@ public class ApiRateLimitServiceImpl extends AdapterBase implements APIChecker, } Long accountId = user.getAccountId(); Account account = _accountService.getAccount(accountId); - if ( _accountService.isRootAdmin(account.getType())){ + if (_accountService.isRootAdmin(account.getId())) { // no API throttling on root admin return true; } diff --git a/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java b/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java index 8d31b9dbb1b..03c9bdb1ca8 100644 --- a/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java +++ b/plugins/api/rate-limit/test/org/apache/cloudstack/ratelimit/ApiRateLimitTest.java @@ -70,7 +70,7 @@ public class ApiRateLimitTest { testAccount = acct; when(_accountService.getAccount(5L)).thenReturn(testAccount); - when(_accountService.isRootAdmin(Account.ACCOUNT_TYPE_NORMAL)).thenReturn(false); + when(_accountService.isRootAdmin(5L)).thenReturn(false); } @Before diff --git a/server/src/com/cloud/acl/AffinityGroupAccessChecker.java b/server/src/com/cloud/acl/AffinityGroupAccessChecker.java index bc1e631e445..9df52aea624 100644 --- a/server/src/com/cloud/acl/AffinityGroupAccessChecker.java +++ b/server/src/com/cloud/acl/AffinityGroupAccessChecker.java @@ -51,7 +51,7 @@ public class AffinityGroupAccessChecker extends DomainChecker { if (_affinityGroupService.isAdminControlledGroup(group)) { if (accessType != null && accessType == AccessType.ModifyEntry - && !_accountMgr.isRootAdmin(caller.getType())) { + && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity); } diff --git a/server/src/com/cloud/acl/DomainChecker.java b/server/src/com/cloud/acl/DomainChecker.java index 7b47bae4f25..a65e77b5be5 100755 --- a/server/src/com/cloud/acl/DomainChecker.java +++ b/server/src/com/cloud/acl/DomainChecker.java @@ -41,6 +41,7 @@ import com.cloud.storage.LaunchPermissionVO; import com.cloud.storage.dao.LaunchPermissionDao; import com.cloud.template.VirtualMachineTemplate; import com.cloud.user.Account; +import com.cloud.user.AccountService; import com.cloud.user.User; import com.cloud.user.dao.AccountDao; import com.cloud.utils.component.AdapterBase; @@ -57,6 +58,8 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { @Inject NetworkModel _networkMgr; @Inject private DedicatedResourceDao _dedicatedDao; + @Inject + AccountService _accountService; protected DomainChecker() { super(); @@ -97,7 +100,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { Account owner = _accountDao.findById(template.getAccountId()); // validate that the template is usable by the account if (!template.isPublicTemplate()) { - if (BaseCmd.isRootAdmin(caller.getType()) || (owner.getId() == caller.getId())) { + if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) { return true; } //special handling for the project case @@ -114,7 +117,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { } else { // Domain admin and regular user can delete/modify only templates created by them if (accessType != null && accessType == AccessType.ModifyEntry) { - if (!BaseCmd.isRootAdmin(caller.getType()) && owner.getId() != caller.getId()) { + if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) { // For projects check if the caller account can access the project account if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) { throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates"); @@ -164,7 +167,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { return true; } else { //admin has all permissions - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountService.isRootAdmin(account.getId())) { return true; } //if account is normal user or domain admin @@ -200,7 +203,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { return true; } else { //admin has all permissions - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountService.isRootAdmin(account.getId())) { return true; } //if account is normal user or domain admin @@ -236,7 +239,7 @@ public class DomainChecker extends AdapterBase implements SecurityChecker { return true; } else { //admin has all permissions - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountService.isRootAdmin(account.getId())) { return true; } //if account is normal user diff --git a/server/src/com/cloud/api/ApiDBUtils.java b/server/src/com/cloud/api/ApiDBUtils.java index 6539289dd4a..1afa90225fe 100755 --- a/server/src/com/cloud/api/ApiDBUtils.java +++ b/server/src/com/cloud/api/ApiDBUtils.java @@ -696,8 +696,8 @@ public class ApiDBUtils { return _resourceLimitMgr.findCorrectResourceLimitForAccount(account, type); } - public static long findCorrectResourceLimit(Long limit, short accountType, ResourceType type) { - return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountType, limit, type); + public static long findCorrectResourceLimit(Long limit, long accountId, ResourceType type) { + return _resourceLimitMgr.findCorrectResourceLimitForAccount(accountId, limit, type); } public static long getResourceCount(ResourceType type, long accountId) { diff --git a/server/src/com/cloud/api/ApiResponseHelper.java b/server/src/com/cloud/api/ApiResponseHelper.java index 1ba55bfb56a..f698c2e5453 100755 --- a/server/src/com/cloud/api/ApiResponseHelper.java +++ b/server/src/com/cloud/api/ApiResponseHelper.java @@ -681,7 +681,7 @@ public class ApiResponseHelper implements ResponseGenerator { // show this info to admin only Account account = CallContext.current().getCallingAccount(); - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountMgr.isRootAdmin(account.getId())) { VlanVO vl = ApiDBUtils.findVlanById(ipAddr.getVlanId()); if (vl != null) { ipResponse.setVlanId(vl.getUuid()); @@ -2176,7 +2176,8 @@ public class ApiResponseHelper implements ResponseGenerator { response.setReservedIpRange(reservation); // return vlan information only to Root admin - if (network.getBroadcastUri() != null && CallContext.current().getCallingAccount().getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (network.getBroadcastUri() != null + && _accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) { String broadcastUri = network.getBroadcastUri().toString(); response.setBroadcastUri(broadcastUri); String vlan = "N/A"; diff --git a/server/src/com/cloud/api/ApiServer.java b/server/src/com/cloud/api/ApiServer.java index 550626f111c..1a93e9aa8b6 100755 --- a/server/src/com/cloud/api/ApiServer.java +++ b/server/src/com/cloud/api/ApiServer.java @@ -409,7 +409,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } catch (InsufficientCapacityException ex){ s_logger.info(ex.getMessage()); String errorMsg = ex.getMessage(); - if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){ + if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) { // hide internal details to non-admin user for security reason errorMsg = BaseCmd.USER_ERROR_MESSAGE; } @@ -420,7 +420,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } catch (ResourceUnavailableException ex){ s_logger.info(ex.getMessage()); String errorMsg = ex.getMessage(); - if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){ + if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) { // hide internal details to non-admin user for security reason errorMsg = BaseCmd.USER_ERROR_MESSAGE; } @@ -431,7 +431,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer } catch (Exception ex){ s_logger.error("unhandled exception executing api command: " + ((command == null) ? "null" : command[0]), ex); String errorMsg = ex.getMessage(); - if (CallContext.current().getCallingAccount().getType() != Account.ACCOUNT_TYPE_ADMIN){ + if (!_accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) { // hide internal details to non-admin user for security reason errorMsg = BaseCmd.USER_ERROR_MESSAGE; } @@ -565,7 +565,7 @@ public class ApiServer extends ManagerBase implements HttpRequestHandler, ApiSer List jobs = null; // list all jobs for ROOT admin - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountMgr.isRootAdmin(account.getId())) { jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), null); } else { jobs = _asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), account.getId()); diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 3bf929a2ef2..79a42522700 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java @@ -2234,7 +2234,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { // if a domainId is provided, we just return the disk offering // associated with this domain if (domainId != null) { - if (account.getType() == Account.ACCOUNT_TYPE_ADMIN || isPermissible(account.getDomainId(), domainId)) { + if (_accountMgr.isRootAdmin(account.getId()) || isPermissible(account.getDomainId(), domainId)) { // check if the user's domain == do's domain || user's domain is // a child of so's domain for non-root users sc.addAnd("domainId", SearchCriteria.Op.EQ, domainId); @@ -2355,14 +2355,14 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { Boolean isSystem = cmd.getIsSystem(); String vmTypeStr = cmd.getSystemVmType(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && isSystem) { + if (!_accountMgr.isRootAdmin(caller.getId()) && isSystem) { throw new InvalidParameterValueException("Only ROOT admins can access system's offering"); } // Keeping this logic consistent with domain specific zones // if a domainId is provided, we just return the so associated with this // domain - if (domainId != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (domainId != null && !_accountMgr.isRootAdmin(caller.getId())) { // check if the user's domain == so's domain || user's domain is a // child of so's domain if (!isPermissible(caller.getDomainId(), domainId)) { @@ -2761,7 +2761,7 @@ public class QueryManagerImpl extends ManagerBase implements QueryService { } // if template is not public, perform permission check here - if (!template.isPublicTemplate() && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!template.isPublicTemplate() && !_accountMgr.isRootAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(template.getAccountId()); _accountMgr.checkAccess(caller, null, true, owner); } diff --git a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java index edbd3ae2537..424497424e9 100644 --- a/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/AccountJoinDaoImpl.java @@ -19,6 +19,7 @@ package com.cloud.api.query.dao; import java.util.List; import javax.ejb.Local; +import javax.inject.Inject; import org.apache.cloudstack.api.response.AccountResponse; import org.apache.cloudstack.api.response.ResourceLimitAndCountResponse; @@ -32,6 +33,7 @@ import com.cloud.api.query.vo.AccountJoinVO; import com.cloud.api.query.vo.UserAccountJoinVO; import com.cloud.configuration.Resource.ResourceType; import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @@ -42,6 +44,8 @@ public class AccountJoinDaoImpl extends GenericDaoBase impl public static final Logger s_logger = Logger.getLogger(AccountJoinDaoImpl.class); private SearchBuilder acctIdSearch; + @Inject + public AccountManager _accountMgr; protected AccountJoinDaoImpl() { @@ -69,11 +73,11 @@ public class AccountJoinDaoImpl extends GenericDaoBase impl accountResponse.setBytesReceived(account.getBytesReceived()); accountResponse.setBytesSent(account.getBytesSent()); - boolean accountIsAdmin = (account.getType() == Account.ACCOUNT_TYPE_ADMIN); + boolean accountIsAdmin = (_accountMgr.isRootAdmin(account.getId())); setResourceLimits(account, accountIsAdmin, accountResponse); //get resource limits for projects - long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getType(), ResourceType.project); + long projectLimit = ApiDBUtils.findCorrectResourceLimit(account.getProjectLimit(), account.getId(), ResourceType.project); String projectLimitDisplay = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit); long projectTotal = (account.getProjectTotal() == null) ? 0 : account.getProjectTotal(); String projectAvail = (accountIsAdmin || projectLimit == -1) ? "Unlimited" : String.valueOf(projectLimit - projectTotal); @@ -103,7 +107,7 @@ public class AccountJoinDaoImpl extends GenericDaoBase impl @Override public void setResourceLimits(AccountJoinVO account, boolean accountIsAdmin, ResourceLimitAndCountResponse response) { // Get resource limits and counts - long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getType(), ResourceType.user_vm); + long vmLimit = ApiDBUtils.findCorrectResourceLimit(account.getVmLimit(), account.getId(), ResourceType.user_vm); String vmLimitDisplay = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit); long vmTotal = (account.getVmTotal() == null) ? 0 : account.getVmTotal(); String vmAvail = (accountIsAdmin || vmLimit == -1) ? "Unlimited" : String.valueOf(vmLimit - vmTotal); diff --git a/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java index edceb26666c..63bf563bec6 100644 --- a/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/DataCenterJoinDaoImpl.java @@ -19,6 +19,7 @@ package com.cloud.api.query.dao; import java.util.List; import javax.ejb.Local; +import javax.inject.Inject; import org.apache.log4j.Logger; @@ -31,6 +32,7 @@ import org.apache.cloudstack.api.response.ZoneResponse; import org.apache.cloudstack.context.CallContext; import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @@ -44,6 +46,8 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase dofIdSearch; + @Inject + public AccountManager _accountMgr; protected DataCenterJoinDaoImpl() { @@ -70,7 +74,7 @@ public class DataCenterJoinDaoImpl extends GenericDaoBase vrSearch; @@ -78,7 +81,7 @@ public class DomainRouterJoinDaoImpl extends GenericDaoBase im @Inject private ConfigurationDao _configDao; + @Inject + public AccountService _accountService; private final SearchBuilder tmpltIdPairSearch; @@ -99,7 +102,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase im private String getTemplateStatus(TemplateJoinVO template){ boolean isAdmin = false; Account caller = CallContext.current().getCallingAccount(); - if ((caller == null) || BaseCmd.isAdmin(caller.getType())) { + if ((caller == null) || _accountService.isAdmin(caller.getType())) { isAdmin = true; } @@ -319,7 +322,7 @@ public class TemplateJoinDaoImpl extends GenericDaoBase im Account caller = CallContext.current().getCallingAccount(); boolean isAdmin = false; - if ((caller == null) || BaseCmd.isAdmin(caller.getType())) { + if ((caller == null) || _accountService.isAdmin(caller.getType())) { isAdmin = true; } diff --git a/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java index 7fe3c1d2fcc..f2af38dbf82 100644 --- a/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/UserVmJoinDaoImpl.java @@ -41,6 +41,7 @@ import com.cloud.api.query.vo.ResourceTagJoinVO; import com.cloud.api.query.vo.UserVmJoinVO; import com.cloud.hypervisor.Hypervisor.HypervisorType; import com.cloud.user.Account; +import com.cloud.user.AccountManager; import com.cloud.uservm.UserVm; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; @@ -56,7 +57,8 @@ public class UserVmJoinDaoImpl extends GenericDaoBase implem @Inject private ConfigurationDao _configDao; - + @Inject + public AccountManager _accountMgr; private final SearchBuilder VmDetailSearch; private final SearchBuilder activeVmByIsoSearch; @@ -121,7 +123,7 @@ public class UserVmJoinDaoImpl extends GenericDaoBase implem } userVmResponse.setZoneId(userVm.getDataCenterUuid()); userVmResponse.setZoneName(userVm.getDataCenterName()); - if ((caller == null) || (caller.getType() == Account.ACCOUNT_TYPE_ADMIN)) { + if ((caller == null) || (_accountMgr.isRootAdmin(caller.getId()))) { userVmResponse.setInstanceName(userVm.getInstanceName()); userVmResponse.setHostId(userVm.getHostUuid()); userVmResponse.setHostName(userVm.getHostName()); diff --git a/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java b/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java index df6e583058c..5ca168c92b4 100644 --- a/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java +++ b/server/src/com/cloud/api/query/dao/VolumeJoinDaoImpl.java @@ -39,6 +39,8 @@ import com.cloud.storage.VMTemplateHostVO; import com.cloud.storage.VMTemplateStorageResourceAssoc.Status; import com.cloud.storage.Volume; import com.cloud.user.Account; +import com.cloud.user.AccountManager; +import com.cloud.user.AccountService; import com.cloud.utils.db.GenericDaoBase; import com.cloud.utils.db.SearchBuilder; import com.cloud.utils.db.SearchCriteria; @@ -51,6 +53,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase implem @Inject private ConfigurationDao _configDao; + @Inject + public AccountManager _accountMgr; private final SearchBuilder volSearch; @@ -114,7 +118,8 @@ public class VolumeJoinDaoImpl extends GenericDaoBase implem volResponse.setSize(volume.getVolumeStoreSize()); volResponse.setCreated(volume.getCreatedOnStore()); - if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) + if (_accountMgr.isRootAdmin(caller.getId()) + || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) volResponse.setHypervisor(ApiDBUtils.getHypervisorTypeFromFormat(volume.getFormat()).toString()); if (volume.getDownloadState() != Status.DOWNLOADED) { String volumeStatus = "Processing"; @@ -171,7 +176,7 @@ public class VolumeJoinDaoImpl extends GenericDaoBase implem } // return hypervisor and storage pool info for ROOT and Resource domain only - if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { + if (_accountMgr.isRootAdmin(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) { if (volume.getState() != Volume.State.UploadOp && volume.getHypervisorType() != null) { volResponse.setHypervisor(volume.getHypervisorType().toString()); } diff --git a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java index 3c77958fe30..0c7374efe3e 100755 --- a/server/src/com/cloud/configuration/ConfigurationManagerImpl.java +++ b/server/src/com/cloud/configuration/ConfigurationManagerImpl.java @@ -1234,7 +1234,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati DataCenterVO zone = _zoneDao.findById(zoneId); Account account = CallContext.current().getCallingAccount(); if (Grouping.AllocationState.Disabled == zone.getAllocationState() - && !_accountMgr.isRootAdmin(account.getType())) { + && !_accountMgr.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId); } @@ -2565,7 +2565,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati // Check if zone is enabled Account caller = CallContext.current().getCallingAccount(); if (Grouping.AllocationState.Disabled == zone.getAllocationState() - && !_accountMgr.isRootAdmin(caller.getType())) { + && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId); } diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java index 8cd44f44673..e1d5cb17a2b 100644 --- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java +++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java @@ -1220,7 +1220,7 @@ public class DeploymentPlanningManagerImpl extends ManagerBase implements Deploy private boolean isRootAdmin(ReservationContext reservationContext) { if (reservationContext != null) { if (reservationContext.getAccount() != null) { - return _accountMgr.isRootAdmin(reservationContext.getAccount().getType()); + return _accountMgr.isRootAdmin(reservationContext.getAccount().getId()); } else { return false; } diff --git a/server/src/com/cloud/deploy/FirstFitPlanner.java b/server/src/com/cloud/deploy/FirstFitPlanner.java index 64b1124d6b8..150cfd3b0b5 100755 --- a/server/src/com/cloud/deploy/FirstFitPlanner.java +++ b/server/src/com/cloud/deploy/FirstFitPlanner.java @@ -468,7 +468,7 @@ public class FirstFitPlanner extends PlannerBase implements DeploymentClusterPla private boolean isRootAdmin(ReservationContext reservationContext) { if(reservationContext != null){ if(reservationContext.getAccount() != null){ - return _accountMgr.isRootAdmin(reservationContext.getAccount().getType()); + return _accountMgr.isRootAdmin(reservationContext.getAccount().getId()); }else{ return false; } diff --git a/server/src/com/cloud/network/IpAddressManagerImpl.java b/server/src/com/cloud/network/IpAddressManagerImpl.java index 805821e4f2f..4c49247c4e6 100644 --- a/server/src/com/cloud/network/IpAddressManagerImpl.java +++ b/server/src/com/cloud/network/IpAddressManagerImpl.java @@ -983,7 +983,7 @@ public class IpAddressManagerImpl extends ManagerBase implements IpAddressManage VlanType vlanType = VlanType.VirtualNetwork; boolean assign = false; - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { // zone is of type DataCenter. See DataCenterVO.java. PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, " + "Zone is currently disabled"); ex.addProxyObject(zone.getUuid(), "zoneId"); diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java index 06c9526020b..aa14a1da0a8 100755 --- a/server/src/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/com/cloud/network/NetworkServiceImpl.java @@ -1018,7 +1018,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } if(displayNetwork != null){ - if(!_accountMgr.isRootAdmin(caller.getType())){ + if(!_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter"); } }else{ @@ -1030,7 +1030,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { throw new InvalidParameterValueException("Specified zone id was not found"); } - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { // See DataCenterVO.java PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled"); ex.addProxyObject(zone.getUuid(), "zoneId"); @@ -1194,13 +1194,13 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } // Don't allow to specify vlan if the caller is not ROOT admin - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && (ntwkOff.getSpecifyVlan() || vlanId != null)) { + if (!_accountMgr.isRootAdmin(caller.getId()) && (ntwkOff.getSpecifyVlan() || vlanId != null)) { throw new InvalidParameterValueException("Only ROOT admin is allowed to specify vlanId"); } if (ipv4) { // For non-root admins check cidr limit - if it's allowed by global config value - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN && cidr != null) { + if (!_accountMgr.isRootAdmin(caller.getId()) && cidr != null) { String[] cidrPair = cidr.split("\\/"); int cidrSize = Integer.valueOf(cidrPair[1]); @@ -1307,7 +1307,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { ip6Gateway, ip6Cidr, displayNetwork, isolatedPvlan); } - if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN && createVlan) { + if (_accountMgr.isRootAdmin(caller.getId()) && createVlan) { // Create vlan ip range _configMgr.createVlanAndPublicIpRange(pNtwk.getDataCenterId(), network.getId(), physicalNetworkId, false, null, startIP, endIP, gateway, netmask, vlanId, null, startIPv6, endIPv6, ip6Gateway, ip6Cidr); @@ -1960,7 +1960,7 @@ public class NetworkServiceImpl extends ManagerBase implements NetworkService { } if(displayNetwork != null){ - if(!_accountMgr.isRootAdmin(callerAccount.getType())){ + if (!_accountMgr.isRootAdmin(callerAccount.getId())) { throw new PermissionDeniedException("Only admin allowed to update displaynetwork parameter"); } network.setDisplayNetwork(displayNetwork); diff --git a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java index 773c2c8374f..195f93ef267 100644 --- a/server/src/com/cloud/network/firewall/FirewallManagerImpl.java +++ b/server/src/com/cloud/network/firewall/FirewallManagerImpl.java @@ -695,7 +695,7 @@ public class FirewallManagerImpl extends ManagerBase implements FirewallService, throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.Firewall); } - if (rule.getType() == FirewallRuleType.System && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (rule.getType() == FirewallRuleType.System && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule"); } diff --git a/server/src/com/cloud/network/vpc/VpcManagerImpl.java b/server/src/com/cloud/network/vpc/VpcManagerImpl.java index a07b9efaf89..6d3223ece02 100644 --- a/server/src/com/cloud/network/vpc/VpcManagerImpl.java +++ b/server/src/com/cloud/network/vpc/VpcManagerImpl.java @@ -612,7 +612,7 @@ public class VpcManagerImpl extends ManagerBase implements VpcManager, VpcProvis throw new InvalidParameterValueException("Can't find zone by id specified"); } - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { // See DataCenterVO.java PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled"); ex.addProxyObject(zone.getUuid(), "zoneId"); diff --git a/server/src/com/cloud/projects/ProjectManagerImpl.java b/server/src/com/cloud/projects/ProjectManagerImpl.java index edcdf3f1a2b..b4987cbde0f 100755 --- a/server/src/com/cloud/projects/ProjectManagerImpl.java +++ b/server/src/com/cloud/projects/ProjectManagerImpl.java @@ -417,7 +417,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { @Override public boolean canAccessProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project - if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { Account owner = _accountMgr.getAccount(accountId); @@ -431,7 +431,7 @@ public class ProjectManagerImpl extends ManagerBase implements ProjectManager { @Override public boolean canModifyProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project - if (caller.getType() == Account.ACCOUNT_TYPE_ADMIN) { + if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { Account owner = _accountMgr.getAccount(accountId); diff --git a/server/src/com/cloud/resource/ResourceManagerImpl.java b/server/src/com/cloud/resource/ResourceManagerImpl.java index 76d7cf9d299..b36e03ae62d 100755 --- a/server/src/com/cloud/resource/ResourceManagerImpl.java +++ b/server/src/com/cloud/resource/ResourceManagerImpl.java @@ -368,7 +368,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager, } Account account = CallContext.current().getCallingAccount(); - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) { PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex; @@ -591,7 +591,7 @@ public class ResourceManagerImpl extends ManagerBase implements ResourceManager, } Account account = CallContext.current().getCallingAccount(); - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) { PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex; diff --git a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java index 376e943393b..c0d3cb96441 100755 --- a/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java +++ b/server/src/com/cloud/resourcelimit/ResourceLimitManagerImpl.java @@ -263,7 +263,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited // No limits for Root Admin accounts - if (_accountMgr.isRootAdmin(account.getType())) { + if (_accountMgr.isRootAdmin(account.getId())) { return max; } @@ -293,15 +293,16 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim } @Override - public long findCorrectResourceLimitForAccount(short accountType, Long limit, ResourceType type) { + public long findCorrectResourceLimitForAccount(long accountId, Long limit, ResourceType type) { long max = Resource.RESOURCE_UNLIMITED; // if resource limit is not found, then we treat it as unlimited // No limits for Root Admin accounts - if (_accountMgr.isRootAdmin(accountType)) { + if (_accountMgr.isRootAdmin(accountId)) { return max; } + Account account = _accountDao.findById(accountId); // Check if limit is configured for account if (limit != null) { @@ -309,7 +310,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim } else { // If the account has an no limit set, then return global default account limits Long value = null; - if (accountType == Account.ACCOUNT_TYPE_PROJECT) { + if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { value = projectResourceLimitMap.get(type); } else { value = accountResourceLimitMap.get(type); @@ -366,7 +367,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim Project project = null; // Don't place any limits on system or root admin accounts - if (_accountMgr.isRootAdmin(account.getType())) { + if (_accountMgr.isRootAdmin(account.getId())) { return; } @@ -605,7 +606,7 @@ public class ResourceLimitManagerImpl extends ManagerBase implements ResourceLim } //only Unlimited value is accepted if account is Root Admin - if (_accountMgr.isRootAdmin(account.getType()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) { + if (_accountMgr.isRootAdmin(account.getId()) && max.shortValue() != ResourceLimit.RESOURCE_UNLIMITED) { throw new InvalidParameterValueException("Only " + ResourceLimit.RESOURCE_UNLIMITED + " limit is supported for Root Admin accounts"); } diff --git a/server/src/com/cloud/server/ManagementServerImpl.java b/server/src/com/cloud/server/ManagementServerImpl.java index c0a52f78cef..824b3133143 100755 --- a/server/src/com/cloud/server/ManagementServerImpl.java +++ b/server/src/com/cloud/server/ManagementServerImpl.java @@ -1030,7 +1030,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe listHostsForMigrationOfVM(Long vmId, Long startIndex, Long pageSize) { // access check - only root admin can migrate VM Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -1240,7 +1240,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe public Pair, List> listStoragePoolsForMigrationOfVolume(Long volumeId) { // Access check - only root administrator can migrate volumes. Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the volume"); } @@ -1826,7 +1826,7 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe _accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template); if(cmd.isRoutingType() != null){ - if(!_accountService.isRootAdmin(account.getType())){ + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied"); } } @@ -2477,13 +2477,6 @@ public class ManagementServerImpl extends ManagerBase implements ManagementServe } - public static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) - || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); - } - - - @Override public List> getCommands() { List> cmdList = new ArrayList>(); diff --git a/server/src/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/com/cloud/servlet/ConsoleProxyServlet.java index e01d9595215..3665486e2ad 100644 --- a/server/src/com/cloud/servlet/ConsoleProxyServlet.java +++ b/server/src/com/cloud/servlet/ConsoleProxyServlet.java @@ -465,7 +465,7 @@ public class ConsoleProxyServlet extends HttpServlet { } // root admin can access anything - if(accountObj.getType() == Account.ACCOUNT_TYPE_ADMIN) + if (_accountMgr.isRootAdmin(accountObj.getId())) return true; switch(vm.getType()) diff --git a/server/src/com/cloud/storage/StorageManagerImpl.java b/server/src/com/cloud/storage/StorageManagerImpl.java index 8417066cffb..9bbfe989b07 100755 --- a/server/src/com/cloud/storage/StorageManagerImpl.java +++ b/server/src/com/cloud/storage/StorageManagerImpl.java @@ -631,7 +631,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C } // Check if zone is disabled Account account = CallContext.current().getCallingAccount(); - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId); } @@ -1675,7 +1675,8 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C } Account account = CallContext.current().getCallingAccount(); - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() + && !_accountMgr.isRootAdmin(account.getId())) { PermissionDeniedException ex = new PermissionDeniedException( "Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); @@ -1828,7 +1829,7 @@ public class StorageManagerImpl extends ManagerBase implements StorageManager, C } Account account = CallContext.current().getCallingAccount(); - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) { PermissionDeniedException ex = new PermissionDeniedException( "Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java index cc995892eb3..dbcb9618032 100644 --- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java +++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java @@ -360,7 +360,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic } // Check if zone is disabled - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId); } @@ -572,7 +572,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic if (displayVolumeEnabled == null) { displayVolumeEnabled = true; } else { - if (!_accountMgr.isRootAdmin(caller.getType())) { + if (!_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted "); } } @@ -587,7 +587,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic } // Check if zone is disabled - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId); } @@ -1352,7 +1352,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic throw new InvalidParameterValueException("Can't find zone by id " + volume.getDataCenterId()); } - if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())) { + if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zone.getName()); } @@ -1383,7 +1383,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic String mode = cmd.getMode(); Account account = CallContext.current().getCallingAccount(); - if (!_accountMgr.isRootAdmin(account.getType()) && ApiDBUtils.isExtractionDisabled()) { + if (!_accountMgr.isRootAdmin(account.getId()) && ApiDBUtils.isExtractionDisabled()) { throw new PermissionDeniedException("Extraction has been disabled by admin"); } @@ -1421,7 +1421,7 @@ public class VolumeApiServiceImpl extends ManagerBase implements VolumeApiServic // we allow extraction of all ISO based // volumes boolean isExtractable = template.isExtractable() && template.getTemplateType() != Storage.TemplateType.SYSTEM; - if (!isExtractable && account != null && account.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!isExtractable && account != null && !_accountMgr.isRootAdmin(account.getId())) { // Global admins are always allowed to extract PermissionDeniedException ex = new PermissionDeniedException("The volume with specified volumeId is not allowed to be extracted"); ex.addProxyObject(volume.getUuid(), "volumeId"); diff --git a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java index a884b9542c8..69ed16e026f 100755 --- a/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java +++ b/server/src/com/cloud/storage/snapshot/SnapshotManagerImpl.java @@ -764,7 +764,7 @@ public class SnapshotManagerImpl extends ManagerBase implements SnapshotManager, long accountLimit = _resourceLimitMgr.findCorrectResourceLimitForAccount(owner, ResourceType.snapshot); long domainLimit = _resourceLimitMgr.findCorrectResourceLimitForDomain(_domainMgr.getDomain(owner.getDomainId()), ResourceType.snapshot); int max = cmd.getMaxSnaps().intValue(); - if (owner.getType() != Account.ACCOUNT_TYPE_ADMIN && ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) { + if (!_accountMgr.isRootAdmin(owner.getId())&& ((accountLimit != -1 && max > accountLimit) || (domainLimit != -1 && max > domainLimit))) { String message = "domain/account"; if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT) { message = "domain/project"; diff --git a/server/src/com/cloud/template/TemplateAdapterBase.java b/server/src/com/cloud/template/TemplateAdapterBase.java index a0d4c772072..9485b2a8824 100755 --- a/server/src/com/cloud/template/TemplateAdapterBase.java +++ b/server/src/com/cloud/template/TemplateAdapterBase.java @@ -95,13 +95,6 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat return true; } - private static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || - (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); - } - @Override public TemplateProfile prepare(boolean isIso, Long userId, String name, String displayText, Integer bits, Boolean passwordEnabled, Boolean requiresHVM, String url, Boolean isPublic, Boolean featured, @@ -158,7 +151,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat sshkeyEnabled = Boolean.FALSE; } - boolean isAdmin = _accountDao.findById(templateOwner.getId()).getType() == Account.ACCOUNT_TYPE_ADMIN; + boolean isAdmin = _accountMgr.isRootAdmin(templateOwner.getId()); if (!isAdmin && zoneId == null) { throw new InvalidParameterValueException("Please specify a valid zone Id."); @@ -191,7 +184,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat _resourceLimitMgr.checkResourceLimit(templateOwner, ResourceType.template); - if (templateOwner.getType() != Account.ACCOUNT_TYPE_ADMIN && zoneId == null) { + if (!_accountMgr.isRootAdmin(templateOwner.getId()) && zoneId == null) { throw new IllegalArgumentException("Only admins can create templates in all zones"); } @@ -202,7 +195,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat throw new IllegalArgumentException("Please specify a valid zone."); } Account caller = CallContext.current().getCallingAccount(); - if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getType())){ + if(Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: "+ zoneId ); } } @@ -298,7 +291,7 @@ public abstract class TemplateAdapterBase extends AdapterBase implements Templat throws PermissionDeniedException { if (account != null) { - if (!isAdmin(account.getType())) { + if (!_accountMgr.isAdmin(account.getType())) { if ((vmInstanceCheck != null) && (account.getId() != vmInstanceCheck.getAccountId())) { throw new PermissionDeniedException(msg + ". Permission denied."); } diff --git a/server/src/com/cloud/template/TemplateManagerImpl.java b/server/src/com/cloud/template/TemplateManagerImpl.java index e11ac0db3c2..a1e20b9f0b1 100755 --- a/server/src/com/cloud/template/TemplateManagerImpl.java +++ b/server/src/com/cloud/template/TemplateManagerImpl.java @@ -334,12 +334,12 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, public VirtualMachineTemplate registerTemplate(RegisterTemplateCmd cmd) throws URISyntaxException, ResourceAllocationException { Account account = CallContext.current().getCallingAccount(); if (cmd.getTemplateTag() != null) { - if (!_accountService.isRootAdmin(account.getType())) { + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied"); } } if(cmd.isRoutingType() != null){ - if(!_accountService.isRootAdmin(account.getType())){ + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied"); } } @@ -422,7 +422,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } eventId = eventId == null ? 0 : eventId; - if (!_accountMgr.isRootAdmin(caller.getType()) && _disableExtraction) { + if (!_accountMgr.isRootAdmin(caller.getId()) && _disableExtraction) { throw new PermissionDeniedException("Extraction has been disabled by admin"); } @@ -453,7 +453,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, throw new IllegalArgumentException("Please specify a valid zone."); } - if (!_accountMgr.isRootAdmin(caller.getType()) && !template.isExtractable()) { + if (!_accountMgr.isRootAdmin(caller.getId()) && !template.isExtractable()) { throw new InvalidParameterValueException("Unable to extract template id=" + templateId + " as it's not extractable"); } @@ -1248,7 +1248,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, updatedTemplate.setFeatured(isFeatured.booleanValue()); } - if (isExtractable != null && caller.getType() == Account.ACCOUNT_TYPE_ADMIN) {// Only + if (isExtractable != null && _accountMgr.isRootAdmin(caller.getId())) {// Only // ROOT // admins // allowed @@ -1258,7 +1258,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, // powerful // attribute updatedTemplate.setExtractable(isExtractable.booleanValue()); - } else if (isExtractable != null && caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + } else if (isExtractable != null && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Only ROOT admins are allowed to modify this attribute."); } @@ -1438,18 +1438,13 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } } - private static boolean isAdmin(short accountType) { - return ((accountType == Account.ACCOUNT_TYPE_ADMIN) || (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN) - || (accountType == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) || (accountType == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN)); - } - @Override @ActionEvent(eventType = EventTypes.EVENT_TEMPLATE_CREATE, eventDescription = "creating template", create = true) public VMTemplateVO createPrivateTemplateRecord(CreateTemplateCmd cmd, Account templateOwner) throws ResourceAllocationException { Long userId = CallContext.current().getCallingUserId(); Account caller = CallContext.current().getCallingAccount(); - boolean isAdmin = (isAdmin(caller.getType())); + boolean isAdmin = (_accountMgr.isAdmin(caller.getType())); _accountMgr.checkAccess(caller, null, true, templateOwner); @@ -1459,7 +1454,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, } if (cmd.getTemplateTag() != null) { - if (!_accountService.isRootAdmin(caller.getType())) { + if (!_accountService.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Parameter templatetag can only be specified by a Root Admin, permission denied"); } } @@ -1722,7 +1717,7 @@ public class TemplateManagerImpl extends ManagerBase implements TemplateManager, // do a permission check _accountMgr.checkAccess(account, AccessType.ModifyEntry, true, template); if(cmd.isRoutingType() != null){ - if(!_accountService.isRootAdmin(account.getType())){ + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException("Parameter isrouting can only be specified by a Root Admin, permission denied"); } } diff --git a/server/src/com/cloud/usage/UsageServiceImpl.java b/server/src/com/cloud/usage/UsageServiceImpl.java index 2ffb01d3bce..c96e036259f 100755 --- a/server/src/com/cloud/usage/UsageServiceImpl.java +++ b/server/src/com/cloud/usage/UsageServiceImpl.java @@ -47,6 +47,7 @@ import com.cloud.projects.ProjectManager; import com.cloud.usage.dao.UsageDao; import com.cloud.usage.dao.UsageJobDao; import com.cloud.user.Account; +import com.cloud.user.AccountService; import com.cloud.user.AccountVO; import com.cloud.user.dao.AccountDao; import com.cloud.utils.component.Manager; @@ -69,6 +70,8 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag @Inject private ConfigurationDao _configDao; @Inject private ProjectManager _projectMgr; private TimeZone _usageTimezone; + @Inject + private AccountService _accountService; public UsageServiceImpl() { } @@ -156,7 +159,7 @@ public class UsageServiceImpl extends ManagerBase implements UsageService, Manag accountId = caller.getId(); //List records for all the accounts if the caller account is of type admin. //If account_id or account_name is explicitly mentioned, list records for the specified account only even if the caller is of type admin - if(caller.getType() == Account.ACCOUNT_TYPE_ADMIN){ + if (_accountService.isRootAdmin(caller.getId())) { isAdmin = true; } s_logger.debug("Account details not available. Using userContext accountId: " + accountId); diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 9a035903fbc..e78620e5cb7 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java @@ -344,16 +344,19 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } @Override - public boolean isRootAdmin(short accountType) { - return (accountType == Account.ACCOUNT_TYPE_ADMIN); + public boolean isRootAdmin(long accountId) { + // refer to account_group_map and check if account is in Root 'Admin' + // group + return false; } public boolean isResourceDomainAdmin(short accountType) { return (accountType == Account.ACCOUNT_TYPE_RESOURCE_DOMAIN_ADMIN); } - public boolean isInternalAccount(short accountType) { - if (isRootAdmin(accountType) || (accountType == Account.ACCOUNT_ID_SYSTEM)) { + public boolean isInternalAccount(long accountId) { + Account account = _accountDao.findById(accountId); + if (isRootAdmin(accountId) || (account.getType() == Account.ACCOUNT_ID_SYSTEM)) { return true; } return false; @@ -377,7 +380,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M @Override public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, ControlledEntity... entities) { - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) { // no need to make permission checks if the system/root admin makes the call if (s_logger.isTraceEnabled()) { s_logger.trace("No need to make permission check for System/RootAdmin account, returning true"); @@ -1973,7 +1976,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M // return null; } // Whenever the user is able to log in successfully, reset the login attempts to zero - if(!isInternalAccount(userAccount.getType())) + if (!isInternalAccount(userAccount.getId())) updateLoginAttempts(userAccount.getId(), 0, false); return userAccount; @@ -2230,7 +2233,7 @@ public class AccountManagerImpl extends ManagerBase implements AccountManager, M } else if (!listAll) { if (id == null) { permittedAccounts.add(caller.getId()); - } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + } else if (!isRootAdmin(caller.getId())) { domainIdRecursiveListProject.first(caller.getDomainId()); domainIdRecursiveListProject.second(true); } diff --git a/server/src/com/cloud/user/DomainManagerImpl.java b/server/src/com/cloud/user/DomainManagerImpl.java index b885c48eda8..58e8017aebf 100644 --- a/server/src/com/cloud/user/DomainManagerImpl.java +++ b/server/src/com/cloud/user/DomainManagerImpl.java @@ -431,7 +431,7 @@ public class DomainManagerImpl extends ManagerBase implements DomainManager, Dom } _accountMgr.checkAccess(caller, domain); } else { - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { domainId = caller.getDomainId(); } if (listAll) { diff --git a/server/src/com/cloud/vm/UserVmManagerImpl.java b/server/src/com/cloud/vm/UserVmManagerImpl.java index ea9c5409f79..84c891970ad 100755 --- a/server/src/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/com/cloud/vm/UserVmManagerImpl.java @@ -1800,7 +1800,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir if (isDisplayVmEnabled == null) { isDisplayVmEnabled = vmInstance.isDisplayVm(); } else{ - if(!_accountMgr.isRootAdmin(caller.getType())){ + if(!_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted "); } } @@ -2471,7 +2471,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir assert !(requestedIps != null && (defaultIps.getIp4Address() != null || defaultIps.getIp6Address() != null)) : "requestedIp list and defaultNetworkIp should never be specified together"; if (Grouping.AllocationState.Disabled == zone.getAllocationState() - && !_accountMgr.isRootAdmin(caller.getType())) { + && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException( "Cannot perform this operation, Zone is currently disabled: " + zone.getId()); @@ -2540,7 +2540,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Root admin has access to both VM and AG by default, // but // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (!_affinityGroupService.isAffinityGroupAvailableInDomain(ag.getId(), owner.getDomainId())) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's domain"); @@ -2551,7 +2551,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // Root admin has access to both VM and AG by default, // but // make sure the owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (ag.getAccountId() != owner.getAccountId()) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); @@ -2776,7 +2776,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir } if(isDisplayVmEnabled != null){ - if(!_accountMgr.isRootAdmin(caller.getType())){ + if(!_accountMgr.isRootAdmin(caller.getId())){ throw new PermissionDeniedException( "Cannot update parameter displayvm, only admin permitted "); } vm.setDisplayVm(isDisplayVmEnabled); @@ -3264,7 +3264,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir Host destinationHost = null; if (hostId != null) { Account account = CallContext.current().getCallingAccount(); - if (!_accountService.isRootAdmin(account.getType())) { + if (!_accountService.isRootAdmin(account.getId())) { throw new PermissionDeniedException( "Parameter hostid can only be specified by a Root Admin, permission denied"); } @@ -3759,7 +3759,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir public VirtualMachine vmStorageMigration(Long vmId, StoragePool destPool) { // access check - only root admin can migrate VM Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -3832,7 +3832,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir ManagementServerException, VirtualMachineMigrationException { // access check - only root admin can migrate VM Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -4162,7 +4162,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir ManagementServerException, VirtualMachineMigrationException { // Access check - only root administrator can migrate VM. Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) { + if (!_accountMgr.isRootAdmin(caller.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("Caller is not a root admin, permission denied to migrate the VM"); } @@ -4289,7 +4289,7 @@ public class UserVmManagerImpl extends ManagerBase implements UserVmManager, Vir // VV 1: verify the two users Account caller = CallContext.current().getCallingAccount(); - if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN + if (!_accountMgr.isRootAdmin(caller.getId()) && caller.getType() != Account.ACCOUNT_TYPE_DOMAIN_ADMIN) { // only // root // admin diff --git a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java index 8f2caad9780..9343b22808e 100644 --- a/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java +++ b/server/src/org/apache/cloudstack/affinity/AffinityGroupServiceImpl.java @@ -161,7 +161,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType); - if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getType())) { + if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot create the affinity group"); } @@ -176,7 +176,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro } else if (domainId != null && account == null) { - if (!_accountMgr.isRootAdmin(caller.getType())) { + if (!_accountMgr.isRootAdmin(caller.getId())) { // non root admin need to pass both account and domain throw new InvalidParameterValueException( "Unable to create affinity group, account name must be passed with the domainId"); @@ -484,7 +484,7 @@ public class AffinityGroupServiceImpl extends ManagerBase implements AffinityGro _accountMgr.checkAccess(caller, null, true, owner, ag); // Root admin has access to both VM and AG by default, but make sure the // owner of these entities is same - if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType())) { + if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId())) { if (ag.getAccountId() != owner.getAccountId()) { throw new PermissionDeniedException("Affinity Group " + ag + " does not belong to the VM's account"); diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index 38cc1a84a55..7a8e1ee3efc 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java @@ -163,7 +163,7 @@ public class MockAccountManagerImpl extends ManagerBase implements Manager, Acco } @Override - public boolean isRootAdmin(short accountType) { + public boolean isRootAdmin(long accountId) { // TODO Auto-generated method stub return false; }