apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-6535: IAM:MS:API createVMSnapshot doesn't preserve access

Browse Source 
rights.
This commit is contained in:
Min Chen 2014-05-01 12:12:52 -07:00
parent 95e9db2f91
commit d7c5382c58
4 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/src/org/apache/cloudstack/api/command/admin/vm/AddNicToVMCmdByAdmin.java
View File

@ -31,8 +31,9 @@ import org.apache.cloudstack.api.response.UserVmResponse;
import org.apache.cloudstack.context.CallContext;
import com.cloud.uservm.UserVm;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full,
@APICommand(name = "addNicToVirtualMachine", description = "Adds VM to specified network by creating a NIC", responseObject = UserVmResponse.class, responseView = ResponseView.Full, entityType = {VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = true)
public class AddNicToVMCmdByAdmin extends AddNicToVMCmd {
public static final Logger s_logger = Logger.getLogger(AddNicToVMCmdByAdmin.class);

5
api/src/org/apache/cloudstack/api/command/admin/volume/CreateVolumeCmdByAdmin.java
View File

@ -28,8 +28,11 @@ import org.apache.cloudstack.context.CallContext;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full)
@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Full, entityType = {
Volume.class, VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmdByAdmin extends CreateVolumeCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmdByAdmin.class.getName());

7
api/src/org/apache/cloudstack/api/command/user/volume/CreateVolumeCmd.java
View File

@ -19,6 +19,7 @@ package org.apache.cloudstack.api.command.user.volume;
import org.apache.log4j.Logger;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandJobType;
@ -42,8 +43,10 @@ import com.cloud.event.EventTypes;
import com.cloud.exception.ResourceAllocationException;
import com.cloud.storage.Snapshot;
import com.cloud.storage.Volume;
import com.cloud.vm.VirtualMachine;
@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {Volume.class},
@APICommand(name = "createVolume", responseObject = VolumeResponse.class, description = "Creates a disk volume from a disk offering. This disk volume must still be attached to a virtual machine to make use of it.", responseView = ResponseView.Restricted, entityType = {
Volume.class, VirtualMachine.class},
requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
public static final Logger s_logger = Logger.getLogger(CreateVolumeCmd.class.getName());
@ -103,7 +106,7 @@ public class CreateVolumeCmd extends BaseAsyncCreateCustomIdCmd {
@Parameter(name = ApiConstants.DISPLAY_VOLUME, type = CommandType.BOOLEAN, description = "an optional field, whether to display the volume to the end user or not.", authorized = {RoleType.Admin})
private Boolean displayVolume;
@ACL
@ACL(accessType = AccessType.OperateEntry)
@Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
type = CommandType.UUID,
entityType = UserVmResponse.class,

12
server/src/com/cloud/api/dispatch/ParamProcessWorker.java
View File

@ -42,6 +42,7 @@ import org.apache.cloudstack.acl.SecurityChecker.AccessType;
import org.apache.cloudstack.api.ACL;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
import org.apache.cloudstack.api.BaseCmd;
import org.apache.cloudstack.api.BaseCmd.CommandType;
import org.apache.cloudstack.api.EntityReference;
@ -227,6 +228,17 @@ public class ParamProcessWorker implements DispatchWorker {
owner = caller;
}
if (cmd instanceof BaseAsyncCreateCmd) {
if (owner.getId() != caller.getId()) {
// mimic impersonation either by passing (account, domainId) or through derived owner from other api parameters
// in this case, we should check access using the owner
_accountMgr.checkAccess(caller, null, owner);
}
} else {
// check access using the caller for other operational cmds
owner = caller;
}
APICommand commandAnnotation = cmd.getClass().getAnnotation(APICommand.class);
String apiName = commandAnnotation != null ? commandAnnotation.name() : null;