Example 1 with AffinityGroup
use of com.cloud.affinity.AffinityGroup in project cosmic by MissionCriticalCloud.
the class AccountManagerImpl method checkAccess.
@Override
public void checkAccess(final Account caller, final AccessType accessType, final boolean sameOwner, final String apiName, final ControlledEntity... entities) {
// check for the same owner
Long ownerId = null;
ControlledEntity prevEntity = null;
if (sameOwner) {
for (final ControlledEntity entity : entities) {
if (sameOwner) {
if (ownerId == null) {
ownerId = entity.getAccountId();
} else if (ownerId.longValue() != entity.getAccountId()) {
throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
}
prevEntity = entity;
}
}
}
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
// no need to make permission checks if the system/root admin makes the call
if (s_logger.isTraceEnabled()) {
s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
}
return;
}
final HashMap<Long, List<ControlledEntity>> domains = new HashMap<>();
for (final ControlledEntity entity : entities) {
long domainId = entity.getDomainId();
if (entity.getAccountId() != -1 && domainId == -1) {
// If account exists domainId should too so calculate
// it. This condition might be hit for templates or entities which miss domainId in their tables
final Account account = ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
// for templates, we don't have to do cross domains check
if (toBeChecked == null) {
toBeChecked = new ArrayList<>();
domains.put(domainId, toBeChecked);
}
toBeChecked.add(entity);
}
boolean granted = false;
for (final SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(caller, entity, accessType, apiName)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
}
granted = true;
break;
}
}
if (!granted) {
assert false : "How can all of the security checkers pass on checking this check: " + entity;
throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
}
}
for (final Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
for (final SecurityChecker checker : _securityCheckers) {
final Domain d = _domainMgr.getDomain(domain.getKey());
if (d == null || d.getRemoved() != null) {
throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
}
try {
checker.checkAccess(caller, d);
} catch (final PermissionDeniedException e) {
e.addDetails(caller, domain.getValue());
throw e;
}
}
}
// check that resources belong to the same account
}
Also used :
VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate)
HashMap(java.util.HashMap)
SecurityChecker(com.cloud.acl.SecurityChecker)
AffinityGroup(com.cloud.affinity.AffinityGroup)
ControlledEntity(com.cloud.acl.ControlledEntity)
Network(com.cloud.network.Network)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
ArrayList(java.util.ArrayList)
List(java.util.List)
Domain(com.cloud.domain.Domain)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 2 with AffinityGroup
use of com.cloud.affinity.AffinityGroup in project cosmic by MissionCriticalCloud.
the class CreateAffinityGroupCmd method execute.
// ///////////////////////////////////////////////////
// ///////////// API Implementation///////////////////
// ///////////////////////////////////////////////////
@Override
public void execute() {
final AffinityGroup group = _affinityGroupService.getAffinityGroup(getEntityId());
if (group != null) {
final AffinityGroupResponse response = _responseGenerator.createAffinityGroupResponse(group);
response.setResponseName(getCommandName());
setResponseObject(response);
} else {
throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Failed to create affinity group:" + affinityGroupName);
}
}
Also used :
AffinityGroupResponse(com.cloud.affinity.AffinityGroupResponse)
ServerApiException(com.cloud.api.ServerApiException)
AffinityGroup(com.cloud.affinity.AffinityGroup)
Example 3 with AffinityGroup
use of com.cloud.affinity.AffinityGroup in project cosmic by MissionCriticalCloud.
the class DedicatedResourceManagerImpl method createDedicateHostResponse.
@Override
public DedicateHostResponse createDedicateHostResponse(final DedicatedResources resource) {
final DedicateHostResponse dedicateHostResponse = new DedicateHostResponse();
final HostVO host = _hostDao.findById(resource.getHostId());
final DomainVO domain = _domainDao.findById(resource.getDomainId());
final AccountVO account = _accountDao.findById(resource.getAccountId());
final AffinityGroup group = _affinityGroupDao.findById(resource.getAffinityGroupId());
dedicateHostResponse.setId(resource.getUuid());
dedicateHostResponse.setHostId(host.getUuid());
dedicateHostResponse.setHostName(host.getName());
dedicateHostResponse.setDomainId(domain.getUuid());
dedicateHostResponse.setDomainName(domain.getName());
dedicateHostResponse.setAffinityGroupId(group.getUuid());
if (account != null) {
dedicateHostResponse.setAccountId(account.getUuid());
dedicateHostResponse.setAccountName(account.getAccountName());
}
dedicateHostResponse.setObjectName("dedicatedhost");
return dedicateHostResponse;
}
Also used :
DomainVO(com.cloud.domain.DomainVO)
DedicateHostResponse(com.cloud.api.response.DedicateHostResponse)
AccountVO(com.cloud.user.AccountVO)
HostVO(com.cloud.host.HostVO)
AffinityGroup(com.cloud.affinity.AffinityGroup)
Example 4 with AffinityGroup
use of com.cloud.affinity.AffinityGroup in project cosmic by MissionCriticalCloud.
the class DedicatedResourceManagerImpl method dedicateZone.
@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_DEDICATE_RESOURCE, eventDescription = "dedicating a Zone")
public List<DedicatedResourceVO> dedicateZone(final Long zoneId, final Long domainId, final String accountName) {
Long accountId = null;
List<HostVO> hosts = null;
if (accountName != null) {
final Account caller = CallContext.current().getCallingAccount();
final Account owner = _accountMgr.finalizeOwner(caller, accountName, domainId, null);
accountId = owner.getId();
}
final List<Long> childDomainIds = getDomainChildIds(domainId);
childDomainIds.add(domainId);
checkAccountAndDomain(accountId, domainId);
final Zone zone = zoneRepository.findOne(zoneId);
if (zone == null) {
throw new InvalidParameterValueException("Unable to find zone by id " + zoneId);
} else {
final DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(zoneId);
// check if zone is dedicated
if (dedicatedZone != null) {
s_logger.error("Zone " + zone.getName() + " is already dedicated");
throw new CloudRuntimeException("Zone " + zone.getName() + " is already dedicated");
}
// check if any resource under this zone is dedicated to different account or sub-domain
final List<HostPodVO> pods = _podDao.listByDataCenterId(zone.getId());
final List<DedicatedResourceVO> podsToRelease = new ArrayList<>();
final List<DedicatedResourceVO> clustersToRelease = new ArrayList<>();
final List<DedicatedResourceVO> hostsToRelease = new ArrayList<>();
for (final HostPodVO pod : pods) {
final DedicatedResourceVO dPod = _dedicatedDao.findByPodId(pod.getId());
if (dPod != null) {
if (!(childDomainIds.contains(dPod.getDomainId()))) {
throw new CloudRuntimeException("Pod " + pod.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
if (accountId != null) {
if (dPod.getAccountId().equals(accountId)) {
podsToRelease.add(dPod);
} else {
s_logger.error("Pod " + pod.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
throw new CloudRuntimeException("Pod " + pod.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
} else {
if (dPod.getAccountId() == null && dPod.getDomainId().equals(domainId)) {
podsToRelease.add(dPod);
}
}
}
}
for (final DedicatedResourceVO dr : podsToRelease) {
releaseDedicatedResource(null, dr.getPodId(), null, null);
}
final List<ClusterVO> clusters = _clusterDao.listClustersByDcId(zone.getId());
for (final ClusterVO cluster : clusters) {
final DedicatedResourceVO dCluster = _dedicatedDao.findByClusterId(cluster.getId());
if (dCluster != null) {
if (!(childDomainIds.contains(dCluster.getDomainId()))) {
throw new CloudRuntimeException("Cluster " + cluster.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
if (accountId != null) {
if (dCluster.getAccountId().equals(accountId)) {
clustersToRelease.add(dCluster);
} else {
s_logger.error("Cluster " + cluster.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
throw new CloudRuntimeException("Cluster " + cluster.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
} else {
if (dCluster.getAccountId() == null && dCluster.getDomainId().equals(domainId)) {
clustersToRelease.add(dCluster);
}
}
}
}
for (final DedicatedResourceVO dr : clustersToRelease) {
releaseDedicatedResource(null, null, dr.getClusterId(), null);
}
hosts = _hostDao.listByDataCenterId(zone.getId());
for (final HostVO host : hosts) {
final DedicatedResourceVO dHost = _dedicatedDao.findByHostId(host.getId());
if (dHost != null) {
if (!(childDomainIds.contains(dHost.getDomainId()))) {
throw new CloudRuntimeException("Host " + host.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
if (accountId != null) {
if (dHost.getAccountId().equals(accountId)) {
hostsToRelease.add(dHost);
} else {
s_logger.error("Host " + host.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
throw new CloudRuntimeException("Host " + host.getName() + " under this Zone " + zone.getName() + " is dedicated to different account/domain");
}
} else {
if (dHost.getAccountId() == null && dHost.getDomainId().equals(domainId)) {
hostsToRelease.add(dHost);
}
}
}
}
for (final DedicatedResourceVO dr : hostsToRelease) {
releaseDedicatedResource(null, null, null, dr.getHostId());
}
}
checkHostsSuitabilityForExplicitDedication(accountId, childDomainIds, hosts);
final Long accountIdFinal = accountId;
return Transaction.execute(new TransactionCallback<List<DedicatedResourceVO>>() {
@Override
public List<DedicatedResourceVO> doInTransaction(final TransactionStatus status) {
// find or create the affinity group by name under this account/domain
final AffinityGroup group = findOrCreateDedicatedAffinityGroup(domainId, accountIdFinal);
if (group == null) {
s_logger.error("Unable to dedicate zone due to, failed to create dedication affinity group");
throw new CloudRuntimeException("Failed to dedicate zone. Please contact Cloud Support.");
}
DedicatedResourceVO dedicatedResource = new DedicatedResourceVO(zoneId, null, null, null, null, null, group.getId());
try {
dedicatedResource.setDomainId(domainId);
if (accountIdFinal != null) {
dedicatedResource.setAccountId(accountIdFinal);
}
dedicatedResource = _dedicatedDao.persist(dedicatedResource);
// save the domainId in the zone
zone.setDomainId(domainId);
zoneRepository.save(zone);
} catch (final Exception e) {
s_logger.error("Unable to dedicate zone due to " + e.getMessage(), e);
throw new CloudRuntimeException("Failed to dedicate zone. Please contact Cloud Support.");
}
final List<DedicatedResourceVO> result = new ArrayList<>();
result.add(dedicatedResource);
return result;
}
});
}
Also used :
Account(com.cloud.user.Account)
ClusterVO(com.cloud.dc.ClusterVO)
Zone(com.cloud.db.model.Zone)
ArrayList(java.util.ArrayList)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
HostPodVO(com.cloud.dc.HostPodVO)
HostVO(com.cloud.host.HostVO)
AffinityGroup(com.cloud.affinity.AffinityGroup)
InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException)
ConfigurationException(javax.naming.ConfigurationException)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
InvalidParameterValueException(com.cloud.utils.exception.InvalidParameterValueException)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
List(java.util.List)
ArrayList(java.util.ArrayList)
DedicatedResourceVO(com.cloud.dc.DedicatedResourceVO)
ActionEvent(com.cloud.event.ActionEvent)
DB(com.cloud.utils.db.DB)
Example 5 with AffinityGroup
use of com.cloud.affinity.AffinityGroup in project cosmic by MissionCriticalCloud.
the class DomainChecker method checkAccess.
@Override
public boolean checkAccess(final Account caller, final ControlledEntity entity, final AccessType accessType) throws PermissionDeniedException {
if (entity instanceof VirtualMachineTemplate) {
final VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
final Account owner = _accountDao.findById(template.getAccountId());
// validate that the template is usable by the account
if (!template.isPublicTemplate()) {
if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
return true;
}
// special handling for the project case
if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT && _projectMgr.canAccessProjectAccount(caller, owner.getId())) {
return true;
}
// since the current account is not the owner of the template, check the launch permissions table to see if the
// account can launch a VM from this template
final LaunchPermissionVO permission = _launchPermissionDao.findByTemplateAndAccount(template.getId(), caller.getId());
if (permission == null) {
throw new PermissionDeniedException(caller + " does not have permission to launch instances from " + template);
}
} else {
// Domain admin and regular user can delete/modify only templates created by them
if (accessType != null && accessType == AccessType.OperateEntry) {
if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
// For projects check if the caller account can access the project account
if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
}
}
}
}
return true;
} else if (entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) {
_networkMgr.checkNetworkPermissions(caller, (Network) entity);
} else if (entity instanceof AffinityGroup) {
return false;
} else {
if (_accountService.isNormalUser(caller.getId())) {
final Account account = _accountDao.findById(entity.getAccountId());
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
// only project owner can delete/modify the project
if (accessType != null && accessType == AccessType.ModifyProject) {
if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else {
if (caller.getId() != entity.getAccountId()) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
}
}
}
return true;
}
Also used :
Account(com.cloud.user.Account)
VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate)
Network(com.cloud.network.Network)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
AffinityGroup(com.cloud.affinity.AffinityGroup)
LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO)
Aggregations
AffinityGroup (com.cloud.affinity.AffinityGroup)15
AccountVO (com.cloud.user.AccountVO)6
Zone (com.cloud.db.model.Zone)5
ClusterVO (com.cloud.dc.ClusterVO)5
DedicatedResourceVO (com.cloud.dc.DedicatedResourceVO)5
HostPodVO (com.cloud.dc.HostPodVO)5
HostVO (com.cloud.host.HostVO)5
Account (com.cloud.user.Account)5
DB (com.cloud.utils.db.DB)5
TransactionStatus (com.cloud.utils.db.TransactionStatus)5
InvalidParameterValueException (com.cloud.utils.exception.InvalidParameterValueException)5
ArrayList (java.util.ArrayList)5
List (java.util.List)5
DomainVO (com.cloud.domain.DomainVO)4
ActionEvent (com.cloud.event.ActionEvent)4
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)4
ConfigurationException (javax.naming.ConfigurationException)4
ServerApiException (com.cloud.api.ServerApiException)2
PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2
Network (com.cloud.network.Network)2
