Search in sources :

Example 61 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class AccountManagerImpl method buildACLSearchParameters.

//TODO: deprecate this to use the new buildACLSearchParameters with permittedDomains, permittedAccounts, and permittedResources as return
@Override
public void buildACLSearchParameters(Account caller, Long id, String accountName, Long projectId, List<Long> permittedAccounts, Ternary<Long, Boolean, ListProjectResourcesCriteria> domainIdRecursiveListProject, boolean listAll, boolean forProjectInvitation) {
    Long domainId = domainIdRecursiveListProject.first();
    if (domainId != null) {
        Domain domain = _domainDao.findById(domainId);
        if (domain == null) {
            throw new InvalidParameterValueException("Unable to find domain by id " + domainId);
        }
        // check permissions
        checkAccess(caller, domain);
    }
    if (accountName != null) {
        if (projectId != null) {
            throw new InvalidParameterValueException("Account and projectId can't be specified together");
        }
        Account userAccount = null;
        Domain domain = null;
        if (domainId != null) {
            userAccount = _accountDao.findActiveAccount(accountName, domainId);
            domain = _domainDao.findById(domainId);
        } else {
            userAccount = _accountDao.findActiveAccount(accountName, caller.getDomainId());
            domain = _domainDao.findById(caller.getDomainId());
        }
        if (userAccount != null) {
            checkAccess(caller, null, false, userAccount);
            // check permissions
            permittedAccounts.add(userAccount.getId());
        } else {
            throw new InvalidParameterValueException("could not find account " + accountName + " in domain " + domain.getUuid());
        }
    }
    // set project information
    if (projectId != null) {
        if (!forProjectInvitation) {
            if (projectId.longValue() == -1) {
                if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                    permittedAccounts.addAll(_projectMgr.listPermittedProjectAccounts(caller.getId()));
                } else {
                    domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.ListProjectResourcesOnly);
                }
            } else {
                Project project = _projectMgr.getProject(projectId);
                if (project == null) {
                    throw new InvalidParameterValueException("Unable to find project by id " + projectId);
                }
                if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
                    throw new PermissionDeniedException("Account " + caller + " can't access project id=" + projectId);
                }
                permittedAccounts.add(project.getProjectAccountId());
            }
        }
    } else {
        if (id == null) {
            domainIdRecursiveListProject.third(Project.ListProjectResourcesCriteria.SkipProjectResources);
        }
        if (permittedAccounts.isEmpty() && domainId == null) {
            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                permittedAccounts.add(caller.getId());
            } else if (!listAll) {
                if (id == null) {
                    permittedAccounts.add(caller.getId());
                } else if (caller.getType() != Account.ACCOUNT_TYPE_ADMIN) {
                    domainIdRecursiveListProject.first(caller.getDomainId());
                    domainIdRecursiveListProject.second(true);
                }
            } else if (domainId == null) {
                if (caller.getType() == Account.ACCOUNT_TYPE_DOMAIN_ADMIN) {
                    domainIdRecursiveListProject.first(caller.getDomainId());
                    domainIdRecursiveListProject.second(true);
                }
            }
        } else if (domainId != null) {
            if (caller.getType() == Account.ACCOUNT_TYPE_NORMAL) {
                permittedAccounts.add(caller.getId());
            }
        }
    }
}
Also used : Project(com.cloud.projects.Project) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) Domain(com.cloud.domain.Domain)

Example 62 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class VolumeApiServiceImpl method allocSnapshotForVm.

@Override
public Snapshot allocSnapshotForVm(Long vmId, Long volumeId, String snapshotName) throws ResourceAllocationException {
    Account caller = CallContext.current().getCallingAccount();
    VMInstanceVO vm = _vmInstanceDao.findById(vmId);
    if (vm == null) {
        throw new InvalidParameterValueException("Creating snapshot failed due to vm:" + vmId + " doesn't exist");
    }
    _accountMgr.checkAccess(caller, null, true, vm);
    VolumeInfo volume = volFactory.getVolume(volumeId);
    if (volume == null) {
        throw new InvalidParameterValueException("Creating snapshot failed due to volume:" + volumeId + " doesn't exist");
    }
    _accountMgr.checkAccess(caller, null, true, volume);
    VirtualMachine attachVM = volume.getAttachedVM();
    if (attachVM == null || attachVM.getId() != vm.getId()) {
        throw new InvalidParameterValueException("Creating snapshot failed due to volume:" + volumeId + " doesn't attach to vm :" + vm);
    }
    DataCenter zone = _dcDao.findById(volume.getDataCenterId());
    if (zone == null) {
        throw new InvalidParameterValueException("Can't find zone by id " + volume.getDataCenterId());
    }
    if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
        throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zone.getName());
    }
    if (volume.getState() != Volume.State.Ready) {
        throw new InvalidParameterValueException("VolumeId: " + volumeId + " is not in " + Volume.State.Ready + " state but " + volume.getState() + ". Cannot take snapshot.");
    }
    if (volume.getTemplateId() != null) {
        VMTemplateVO template = _templateDao.findById(volume.getTemplateId());
        if (template != null && template.getTemplateType() == Storage.TemplateType.SYSTEM) {
            throw new InvalidParameterValueException("VolumeId: " + volumeId + " is for System VM , Creating snapshot against System VM volumes is not supported");
        }
    }
    StoragePool storagePool = (StoragePool) volume.getDataStore();
    if (storagePool == null) {
        throw new InvalidParameterValueException("VolumeId: " + volumeId + " please attach this volume to a VM before create snapshot for it");
    }
    return snapshotMgr.allocSnapshot(volumeId, Snapshot.MANUAL_POLICY_ID, snapshotName, null);
}
Also used : Account(com.cloud.user.Account) DataCenter(com.cloud.dc.DataCenter) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) VMInstanceVO(com.cloud.vm.VMInstanceVO) VolumeInfo(org.apache.cloudstack.engine.subsystem.api.storage.VolumeInfo) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) VirtualMachine(com.cloud.vm.VirtualMachine)

Example 63 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class VolumeApiServiceImpl method validateVolume.

private boolean validateVolume(Account caller, long ownerId, Long zoneId, String volumeName, String url, String format, Long diskOfferingId) throws ResourceAllocationException {
    // permission check
    Account volumeOwner = _accountMgr.getActiveAccountById(ownerId);
    _accountMgr.checkAccess(caller, null, true, volumeOwner);
    // Check that the resource limit for volumes won't be exceeded
    _resourceLimitMgr.checkResourceLimit(volumeOwner, ResourceType.volume);
    // Verify that zone exists
    DataCenterVO zone = _dcDao.findById(zoneId);
    if (zone == null) {
        throw new InvalidParameterValueException("Unable to find zone by id " + zoneId);
    }
    // Check if zone is disabled
    if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
        throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
    }
    //validating the url only when url is not null. url can be null incase of form based post upload
    if (url != null) {
        if (url.toLowerCase().contains("file://")) {
            throw new InvalidParameterValueException("File:// type urls are currently unsupported");
        }
        UriUtils.validateUrl(format, url);
        // check URL existence
        UriUtils.checkUrlExistence(url);
        // Check that the resource limit for secondary storage won't be exceeded
        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.secondary_storage, UriUtils.getRemoteSize(url));
    } else {
        _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(ownerId), ResourceType.secondary_storage);
    }
    try {
        ImageFormat.valueOf(format.toUpperCase());
    } catch (IllegalArgumentException e) {
        s_logger.debug("ImageFormat IllegalArgumentException: " + e.getMessage());
        throw new IllegalArgumentException("Image format: " + format + " is incorrect. Supported formats are " + EnumUtils.listValues(ImageFormat.values()));
    }
    // Check that the the disk offering specified is valid
    if (diskOfferingId != null) {
        DiskOfferingVO diskOffering = _diskOfferingDao.findById(diskOfferingId);
        if ((diskOffering == null) || diskOffering.getRemoved() != null || !DiskOfferingVO.Type.Disk.equals(diskOffering.getType())) {
            throw new InvalidParameterValueException("Please specify a valid disk offering.");
        }
        if (!diskOffering.isCustomized()) {
            throw new InvalidParameterValueException("Please specify a custom sized disk offering.");
        }
        if (diskOffering.getDomainId() == null) {
        // do nothing as offering is public
        } else {
            _configMgr.checkDiskOfferingAccess(volumeOwner, diskOffering);
        }
    }
    return false;
}
Also used : DataCenterVO(com.cloud.dc.DataCenterVO) Account(com.cloud.user.Account) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) PermissionDeniedException(com.cloud.exception.PermissionDeniedException)

Example 64 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class SnapshotManagerImpl method findRecurringSnapshotSchedule.

@Override
public List<SnapshotScheduleVO> findRecurringSnapshotSchedule(ListRecurringSnapshotScheduleCmd cmd) {
    Long volumeId = cmd.getVolumeId();
    Long policyId = cmd.getSnapshotPolicyId();
    Account account = CallContext.current().getCallingAccount();
    // Verify parameters
    VolumeVO volume = _volsDao.findById(volumeId);
    if (volume == null) {
        throw new InvalidParameterValueException("Failed to list snapshot schedule, unable to find a volume with id " + volumeId);
    }
    if (account != null) {
        long volAcctId = volume.getAccountId();
        if (_accountMgr.isAdmin(account.getId())) {
            Account userAccount = _accountDao.findById(Long.valueOf(volAcctId));
            if (!_domainDao.isChildDomain(account.getDomainId(), userAccount.getDomainId())) {
                throw new PermissionDeniedException("Unable to list snapshot schedule for volume " + volumeId + ", permission denied.");
            }
        } else if (account.getId() != volAcctId) {
            throw new PermissionDeniedException("Unable to list snapshot schedule, account " + account.getAccountName() + " does not own volume id " + volAcctId);
        }
    }
    // List only future schedules, not past ones.
    List<SnapshotScheduleVO> snapshotSchedules = new ArrayList<SnapshotScheduleVO>();
    if (policyId == null) {
        List<SnapshotPolicyVO> policyInstances = listPoliciesforVolume(volumeId);
        for (SnapshotPolicyVO policyInstance : policyInstances) {
            SnapshotScheduleVO snapshotSchedule = _snapshotScheduleDao.getCurrentSchedule(volumeId, policyInstance.getId(), false);
            snapshotSchedules.add(snapshotSchedule);
        }
    } else {
        snapshotSchedules.add(_snapshotScheduleDao.getCurrentSchedule(volumeId, policyId, false));
    }
    return snapshotSchedules;
}
Also used : Account(com.cloud.user.Account) VolumeVO(com.cloud.storage.VolumeVO) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) ArrayList(java.util.ArrayList) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) SnapshotScheduleVO(com.cloud.storage.SnapshotScheduleVO) SnapshotPolicyVO(com.cloud.storage.SnapshotPolicyVO)

Example 65 with PermissionDeniedException

use of com.cloud.exception.PermissionDeniedException in project cloudstack by apache.

the class DomainChecker method checkAccess.

@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
    if (entity instanceof VirtualMachineTemplate) {
        VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
        Account owner = _accountDao.findById(template.getAccountId());
        // validate that the template is usable by the account
        if (!template.isPublicTemplate()) {
            if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
                return true;
            }
            //special handling for the project case
            if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT && _projectMgr.canAccessProjectAccount(caller, owner.getId())) {
                return true;
            }
            // since the current account is not the owner of the template, check the launch permissions table to see if the
            // account can launch a VM from this template
            LaunchPermissionVO permission = _launchPermissionDao.findByTemplateAndAccount(template.getId(), caller.getId());
            if (permission == null) {
                throw new PermissionDeniedException(caller + " does not have permission to launch instances from " + template);
            }
        } else {
            // Domain admin and regular user can delete/modify only templates created by them
            if (accessType != null && accessType == AccessType.OperateEntry) {
                if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
                    // For projects check if the caller account can access the project account
                    if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
                        throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
                    }
                }
            }
        }
        return true;
    } else if (entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) {
        _networkMgr.checkNetworkPermissions(caller, (Network) entity);
    } else if (entity instanceof AffinityGroup) {
        return false;
    } else {
        if (_accountService.isNormalUser(caller.getId())) {
            Account account = _accountDao.findById(entity.getAccountId());
            if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
                //only project owner can delete/modify the project
                if (accessType != null && accessType == AccessType.ModifyProject) {
                    if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
                        throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                    }
                } else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
                    throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                }
            } else {
                if (caller.getId() != entity.getAccountId()) {
                    throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                }
            }
        }
    }
    return true;
}
Also used : Account(com.cloud.user.Account) VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate) Network(com.cloud.network.Network) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) AffinityGroup(org.apache.cloudstack.affinity.AffinityGroup) LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO)

Aggregations

PermissionDeniedException (com.cloud.exception.PermissionDeniedException)82 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)70 Account (com.cloud.user.Account)69 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)26 ActionEvent (com.cloud.event.ActionEvent)23 ArrayList (java.util.ArrayList)22 Project (com.cloud.projects.Project)16 DB (com.cloud.utils.db.DB)15 HashMap (java.util.HashMap)15 DataCenterVO (com.cloud.dc.DataCenterVO)13 ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)13 ConfigurationException (javax.naming.ConfigurationException)13 DomainVO (com.cloud.domain.DomainVO)11 Pair (com.cloud.utils.Pair)11 List (java.util.List)11 AgentUnavailableException (com.cloud.exception.AgentUnavailableException)10 InsufficientCapacityException (com.cloud.exception.InsufficientCapacityException)10 VolumeVO (com.cloud.storage.VolumeVO)10 TransactionStatus (com.cloud.utils.db.TransactionStatus)10 OperationTimedoutException (com.cloud.exception.OperationTimedoutException)8