Example 56 with PermissionDeniedException
use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.
the class ConfigurationManagerImpl method createPod.
@Override
@DB
public HostPodVO createPod(final long userId, final String podName, final long zoneId, final String gateway, final String cidr, final String startIp, String endIp, final String allocationStateStr, final boolean skipGatewayOverlapCheck) {
// Check if the zone is valid
if (!validZone(zoneId)) {
throw new InvalidParameterValueException("Please specify a valid zone.");
}
// Check if zone is disabled
final DataCenterVO zone = _zoneDao.findById(zoneId);
final Account account = CallContext.current().getCallingAccount();
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
}
final String cidrAddress = getCidrAddress(cidr);
final int cidrSize = getCidrSize(cidr);
// end ip of the pod's cidr
if (startIp != null) {
if (endIp == null) {
endIp = NetUtils.getIpRangeEndIpFromCidr(cidrAddress, cidrSize);
}
}
// Validate new pod settings
checkPodAttributes(-1, podName, zoneId, gateway, cidr, startIp, endIp, allocationStateStr, true, skipGatewayOverlapCheck);
// Create the new pod in the database
String ipRange;
if (startIp != null) {
ipRange = startIp + "-" + endIp;
} else {
throw new InvalidParameterValueException("Start ip is required parameter");
}
final HostPodVO podFinal = new HostPodVO(podName, zoneId, gateway, cidrAddress, cidrSize, ipRange);
Grouping.AllocationState allocationState = null;
if (allocationStateStr != null && !allocationStateStr.isEmpty()) {
allocationState = Grouping.AllocationState.valueOf(allocationStateStr);
podFinal.setAllocationState(allocationState);
}
final String endIpFinal = endIp;
return Transaction.execute(new TransactionCallback<HostPodVO>() {
@Override
public HostPodVO doInTransaction(final TransactionStatus status) {
final HostPodVO pod = _podDao.persist(podFinal);
if (startIp != null) {
_zoneDao.addPrivateIpAddress(zoneId, pod.getId(), startIp, endIpFinal);
}
final String[] linkLocalIpRanges = getLinkLocalIPRange();
if (linkLocalIpRanges != null) {
_zoneDao.addLinkLocalIpAddress(zoneId, pod.getId(), linkLocalIpRanges[0], linkLocalIpRanges[1]);
}
return pod;
}
});
}
Also used :
DataCenterVO(com.cloud.dc.DataCenterVO)
Account(com.cloud.user.Account)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
AllocationState(com.cloud.org.Grouping.AllocationState)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
Grouping(com.cloud.org.Grouping)
HostPodVO(com.cloud.dc.HostPodVO)
DB(com.cloud.utils.db.DB)
Example 57 with PermissionDeniedException
use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.
the class AccountManagerImpl method updateUser.
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_UPDATE, eventDescription = "updating User")
public UserAccount updateUser(Long userId, String firstName, String lastName, String email, String userName, String password, String apiKey, String secretKey, String timeZone) {
// Input validation
UserVO user = _userDao.getUser(userId);
if (user == null) {
throw new InvalidParameterValueException("unable to find user by id");
}
if ((apiKey == null && secretKey != null) || (apiKey != null && secretKey == null)) {
throw new InvalidParameterValueException("Please provide an userApiKey/userSecretKey pair");
}
// If the account is an admin type, return an error. We do not allow this
Account account = _accountDao.findById(user.getAccountId());
if (account == null) {
throw new InvalidParameterValueException("unable to find user account " + user.getAccountId());
}
// don't allow updating project account
if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("unable to find user by id");
}
// don't allow updating system account
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
throw new PermissionDeniedException("user id : " + userId + " is system account, update is not allowed");
}
checkAccess(CallContext.current().getCallingAccount(), AccessType.OperateEntry, true, account);
if (firstName != null) {
if (firstName.isEmpty()) {
throw new InvalidParameterValueException("Firstname is empty");
}
user.setFirstname(firstName);
}
if (lastName != null) {
if (lastName.isEmpty()) {
throw new InvalidParameterValueException("Lastname is empty");
}
user.setLastname(lastName);
}
if (userName != null) {
if (userName.isEmpty()) {
throw new InvalidParameterValueException("Username is empty");
}
// don't allow to have same user names in the same domain
List<UserVO> duplicatedUsers = _userDao.findUsersByName(userName);
for (UserVO duplicatedUser : duplicatedUsers) {
if (duplicatedUser.getId() != user.getId()) {
Account duplicatedUserAccount = _accountDao.findById(duplicatedUser.getAccountId());
if (duplicatedUserAccount.getDomainId() == account.getDomainId()) {
throw new InvalidParameterValueException("User with name " + userName + " already exists in domain " + duplicatedUserAccount.getDomainId());
}
}
}
user.setUsername(userName);
}
if (password != null) {
if (password.isEmpty()) {
throw new InvalidParameterValueException("Password cannot be empty");
}
String encodedPassword = null;
for (Iterator<UserAuthenticator> en = _userPasswordEncoders.iterator(); en.hasNext(); ) {
UserAuthenticator authenticator = en.next();
encodedPassword = authenticator.encode(password);
if (encodedPassword != null) {
break;
}
}
if (encodedPassword == null) {
throw new CloudRuntimeException("Failed to encode password");
}
user.setPassword(encodedPassword);
}
if (email != null) {
user.setEmail(email);
}
if (timeZone != null) {
user.setTimezone(timeZone);
}
if (apiKey != null) {
user.setApiKey(apiKey);
}
if (secretKey != null) {
user.setSecretKey(secretKey);
}
if (s_logger.isDebugEnabled()) {
s_logger.debug("updating user with id: " + userId);
}
try {
// check if the apiKey and secretKey are globally unique
if (apiKey != null && secretKey != null) {
Pair<User, Account> apiKeyOwner = _accountDao.findUserAccountByApiKey(apiKey);
if (apiKeyOwner != null) {
User usr = apiKeyOwner.first();
if (usr.getId() != userId) {
throw new InvalidParameterValueException("The api key:" + apiKey + " exists in the system for user id:" + userId + " ,please provide a unique key");
} else {
// allow the updation to take place
}
}
}
_userDao.update(userId, user);
} catch (Throwable th) {
s_logger.error("error updating user", th);
throw new CloudRuntimeException("Unable to update user " + userId);
}
CallContext.current().putContextParameter(User.class, user.getUuid());
return _userAccountDao.findById(userId);
}
Also used :
VpnUserVO(com.cloud.network.VpnUserVO)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
UserAuthenticator(com.cloud.server.auth.UserAuthenticator)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
ActionEvent(com.cloud.event.ActionEvent)
Example 58 with PermissionDeniedException
use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.
the class AccountManagerImpl method finalizeOwner.
@Override
public Account finalizeOwner(Account caller, String accountName, Long domainId, Long projectId) {
// don't default the owner to the system account
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM && ((accountName == null || domainId == null) && projectId == null)) {
throw new InvalidParameterValueException("Account and domainId are needed for resource creation");
}
// projectId and account/domainId can't be specified together
if ((accountName != null && domainId != null) && projectId != null) {
throw new InvalidParameterValueException("ProjectId and account/domainId can't be specified together");
}
if (projectId != null) {
Project project = _projectMgr.getProject(projectId);
if (project == null) {
throw new InvalidParameterValueException("Unable to find project by id=" + projectId);
}
if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
throw new PermissionDeniedException("Account " + caller + " is unauthorised to use project id=" + projectId);
}
return getAccount(project.getProjectAccountId());
}
if (isAdmin(caller.getId()) && accountName != null && domainId != null) {
Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Unable to find the domain by id=" + domainId);
}
Account owner = _accountDao.findActiveAccount(accountName, domainId);
if (owner == null) {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain " + domainId);
}
checkAccess(caller, domain);
return owner;
} else if (!isAdmin(caller.getId()) && accountName != null && domainId != null) {
if (!accountName.equals(caller.getAccountName()) || domainId.longValue() != caller.getDomainId()) {
throw new PermissionDeniedException("Can't create/list resources for account " + accountName + " in domain " + domainId + ", permission denied");
} else {
return caller;
}
} else {
if ((accountName == null && domainId != null) || (accountName != null && domainId == null)) {
throw new InvalidParameterValueException("AccountName and domainId must be specified together");
}
// regular user can't create/list resources for other people
return caller;
}
}
Also used :
Project(com.cloud.projects.Project)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
Domain(com.cloud.domain.Domain)
Example 59 with PermissionDeniedException
use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.
the class AccountManagerImpl method checkAccess.
@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
//check for the same owner
Long ownerId = null;
ControlledEntity prevEntity = null;
if (sameOwner) {
for (ControlledEntity entity : entities) {
if (sameOwner) {
if (ownerId == null) {
ownerId = entity.getAccountId();
} else if (ownerId.longValue() != entity.getAccountId()) {
throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
}
prevEntity = entity;
}
}
}
if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
// no need to make permission checks if the system/root admin makes the call
if (s_logger.isTraceEnabled()) {
s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
}
return;
}
HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
for (ControlledEntity entity : entities) {
long domainId = entity.getDomainId();
if (entity.getAccountId() != -1 && domainId == -1) {
// If account exists domainId should too so calculate
// it. This condition might be hit for templates or entities which miss domainId in their tables
Account account = ApiDBUtils.findAccountById(entity.getAccountId());
domainId = account != null ? account.getDomainId() : -1;
}
if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
// for templates, we don't have to do cross domains check
if (toBeChecked == null) {
toBeChecked = new ArrayList<ControlledEntity>();
domains.put(domainId, toBeChecked);
}
toBeChecked.add(entity);
}
boolean granted = false;
for (SecurityChecker checker : _securityCheckers) {
if (checker.checkAccess(caller, entity, accessType, apiName)) {
if (s_logger.isDebugEnabled()) {
s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
}
granted = true;
break;
}
}
if (!granted) {
assert false : "How can all of the security checkers pass on checking this check: " + entity;
throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
}
}
for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
for (SecurityChecker checker : _securityCheckers) {
Domain d = _domainMgr.getDomain(domain.getKey());
if (d == null || d.getRemoved() != null) {
throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
}
try {
checker.checkAccess(caller, d);
} catch (PermissionDeniedException e) {
e.addDetails(caller, domain.getValue());
throw e;
}
}
}
// check that resources belong to the same account
}
Also used :
VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate)
HashMap(java.util.HashMap)
SecurityChecker(org.apache.cloudstack.acl.SecurityChecker)
AffinityGroup(org.apache.cloudstack.affinity.AffinityGroup)
ControlledEntity(org.apache.cloudstack.acl.ControlledEntity)
Network(com.cloud.network.Network)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
ArrayList(java.util.ArrayList)
List(java.util.List)
Domain(com.cloud.domain.Domain)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 60 with PermissionDeniedException
use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.
the class AccountManagerImpl method createUser.
@Override
@ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID, User.Source source) {
// default domain to ROOT if not specified
if (domainId == null) {
domainId = Domain.ROOT_DOMAIN;
}
Domain domain = _domainMgr.getDomain(domainId);
if (domain == null) {
throw new CloudRuntimeException("The domain " + domainId + " does not exist; unable to create user");
} else if (domain.getState().equals(Domain.State.Inactive)) {
throw new CloudRuntimeException("The user cannot be created as domain " + domain.getName() + " is being deleted");
}
checkAccess(CallContext.current().getCallingAccount(), domain);
Account account = _accountDao.findEnabledAccount(accountName, domainId);
if (account == null || account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
throw new InvalidParameterValueException("Unable to find account " + accountName + " in domain id=" + domainId + " to create user");
}
if (account.getId() == Account.ACCOUNT_ID_SYSTEM) {
throw new PermissionDeniedException("Account id : " + account.getId() + " is a system account, can't add a user to it");
}
if (!_userAccountDao.validateUsernameInDomain(userName, domainId)) {
throw new CloudRuntimeException("The user " + userName + " already exists in domain " + domainId);
}
UserVO user = null;
user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source);
return user;
}
Also used :
VpnUserVO(com.cloud.network.VpnUserVO)
InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException)
CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException)
PermissionDeniedException(com.cloud.exception.PermissionDeniedException)
Domain(com.cloud.domain.Domain)
ActionEvent(com.cloud.event.ActionEvent)
Aggregations
PermissionDeniedException (com.cloud.exception.PermissionDeniedException)82
InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)70
Account (com.cloud.user.Account)69
CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)26
ActionEvent (com.cloud.event.ActionEvent)23
ArrayList (java.util.ArrayList)22
Project (com.cloud.projects.Project)16
DB (com.cloud.utils.db.DB)15
HashMap (java.util.HashMap)15
DataCenterVO (com.cloud.dc.DataCenterVO)13
ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)13
ConfigurationException (javax.naming.ConfigurationException)13
DomainVO (com.cloud.domain.DomainVO)11
Pair (com.cloud.utils.Pair)11
List (java.util.List)11
AgentUnavailableException (com.cloud.exception.AgentUnavailableException)10
InsufficientCapacityException (com.cloud.exception.InsufficientCapacityException)10
VolumeVO (com.cloud.storage.VolumeVO)10
TransactionStatus (com.cloud.utils.db.TransactionStatus)10
OperationTimedoutException (com.cloud.exception.OperationTimedoutException)8
