Example 1 with PermissionDeniedException
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class AssociateIPAddrCmd method getEntityOwnerId.
@Override
public long getEntityOwnerId() {
final Account caller = CallContext.current().getCallingAccount();
if (accountName != null && domainId != null) {
final Account account = _accountService.finalizeOwner(caller, accountName, domainId, projectId);
return account.getId();
} else if (projectId != null) {
final Project project = _projectService.getProject(projectId);
if (project != null) {
if (project.getState() == Project.State.Active) {
return project.getProjectAccountId();
} else {
throw new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active");
}
} else {
throw new InvalidParameterValueException("Unable to find project by ID");
}
} else if (networkId != null) {
final Network network = _networkService.getNetwork(networkId);
if (network == null) {
throw new InvalidParameterValueException("Unable to find network by network id specified");
}
final NetworkOffering offering = _entityMgr.findById(NetworkOffering.class, network.getNetworkOfferingId());
final DataCenter zone = _entityMgr.findById(DataCenter.class, network.getDataCenterId());
if (zone.getNetworkType() == NetworkType.Basic && offering.getElasticIp() && offering.getElasticLb()) {
// shared network with EIP/ELB service.
return caller.getAccountId();
}
return network.getAccountId();
} else if (vpcId != null) {
final Vpc vpc = _entityMgr.findById(Vpc.class, getVpcId());
if (vpc == null) {
throw new InvalidParameterValueException("Can't find enabled VPC by ID specified");
}
return vpc.getAccountId();
}
return caller.getAccountId();
}
Also used :
Account(com.cloud.legacymodel.user.Account)
Project(com.cloud.projects.Project)
DataCenter(com.cloud.legacymodel.dc.DataCenter)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
NetworkOffering(com.cloud.offering.NetworkOffering)
Network(com.cloud.legacymodel.network.Network)
Vpc(com.cloud.legacymodel.network.vpc.Vpc)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Example 2 with PermissionDeniedException
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class DomainChecker method checkAccess.
@Override
public boolean checkAccess(final Account caller, final ControlledEntity entity, final AccessType accessType) throws PermissionDeniedException {
if (entity instanceof VirtualMachineTemplate) {
final VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
final Account owner = _accountDao.findById(template.getAccountId());
// validate that the template is usable by the account
if (!template.isPublicTemplate()) {
if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
return true;
}
// special handling for the project case
if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT && _projectMgr.canAccessProjectAccount(caller, owner.getId())) {
return true;
}
// since the current account is not the owner of the template, check the launch permissions table to see if the
// account can launch a VM from this template
final LaunchPermissionVO permission = _launchPermissionDao.findByTemplateAndAccount(template.getId(), caller.getId());
if (permission == null) {
throw new PermissionDeniedException(caller + " does not have permission to launch instances from " + template);
}
} else {
// Domain admin and regular user can delete/modify only templates created by them
if (accessType != null && accessType == AccessType.OperateEntry) {
if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
// For projects check if the caller account can access the project account
if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
}
}
}
}
return true;
} else if (entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) {
_networkMgr.checkNetworkPermissions(caller, (Network) entity);
} else if (entity instanceof AffinityGroup) {
return false;
} else {
if (_accountService.isNormalUser(caller.getId())) {
final Account account = _accountDao.findById(entity.getAccountId());
if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
// only project owner can delete/modify the project
if (accessType != null && accessType == AccessType.ModifyProject) {
if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
} else {
if (caller.getId() != entity.getAccountId()) {
throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
}
}
}
}
return true;
}
Also used :
Account(com.cloud.legacymodel.user.Account)
VirtualMachineTemplate(com.cloud.legacymodel.storage.VirtualMachineTemplate)
Network(com.cloud.legacymodel.network.Network)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
AffinityGroup(com.cloud.affinity.AffinityGroup)
LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO)
Example 3 with PermissionDeniedException
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class AffinityGroupServiceImpl method createAffinityGroup.
@DB
@Override
public AffinityGroup createAffinityGroup(final String accountName, final Long projectId, final Long domainId, final String affinityGroupName, final String affinityGroupType, final String description) {
// validate the affinityGroupType
final Map<String, AffinityGroupProcessor> typeProcessorMap = getAffinityTypeToProcessorMap();
if (typeProcessorMap == null || typeProcessorMap.isEmpty()) {
throw new InvalidParameterValueException("Unable to create affinity group, no Affinity Group Types configured");
}
final AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
if (processor == null) {
throw new InvalidParameterValueException("Unable to create affinity group, invalid affinity group type" + affinityGroupType);
}
final Account caller = CallContext.current().getCallingAccount();
if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot create the affinity group");
}
final ControlledEntity.ACLType aclType;
final Account owner;
boolean domainLevel = false;
if (projectId == null && domainId != null && accountName == null) {
verifyAccessToDomainWideProcessor(caller, processor);
final DomainVO domain = getDomain(domainId);
_accountMgr.checkAccess(caller, domain);
// domain level group, owner is SYSTEM.
owner = _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM);
aclType = ControlledEntity.ACLType.Domain;
domainLevel = true;
} else {
owner = _accountMgr.finalizeOwner(caller, accountName, domainId, projectId);
aclType = ControlledEntity.ACLType.Account;
}
verifyAffinityGroupNameInUse(owner.getAccountId(), owner.getDomainId(), affinityGroupName);
verifyDomainLevelAffinityGroupName(domainLevel, owner.getDomainId(), affinityGroupName);
final AffinityGroupVO group = createAffinityGroup(processor, owner, aclType, affinityGroupName, affinityGroupType, description, domainLevel, domainId);
if (s_logger.isDebugEnabled()) {
s_logger.debug("Created affinity group =" + affinityGroupName);
}
return group;
}
Also used :
Account(com.cloud.legacymodel.user.Account)
DomainVO(com.cloud.domain.DomainVO)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
ControlledEntity(com.cloud.legacymodel.acl.ControlledEntity)
ACLType(com.cloud.legacymodel.acl.ControlledEntity.ACLType)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
DB(com.cloud.utils.db.DB)
Example 4 with PermissionDeniedException
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class ConfigurationManagerImpl method createVlanAndPublicIpRange.
@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_VLAN_IP_RANGE_CREATE, eventDescription = "creating vlan ip range", async = false)
public Vlan createVlanAndPublicIpRange(final CreateVlanIpRangeCmd cmd) throws InsufficientCapacityException, ConcurrentOperationException, ResourceUnavailableException, ResourceAllocationException {
Long zoneId = cmd.getZoneId();
final Long podId = cmd.getPodId();
final String startIP = cmd.getStartIp();
String endIP = cmd.getEndIp();
final String newVlanGateway = cmd.getGateway();
final String newVlanNetmask = cmd.getNetmask();
String vlanId = cmd.getVlan();
// TODO decide if we should be forgiving or demand a valid and complete URI
if (!(vlanId == null || "".equals(vlanId) || vlanId.startsWith(BroadcastDomainType.Vlan.scheme()))) {
vlanId = BroadcastDomainType.Vlan.toUri(vlanId).toString();
}
final Boolean forVirtualNetwork = cmd.isForVirtualNetwork();
Long networkId = cmd.getNetworkID();
Long physicalNetworkId = cmd.getPhysicalNetworkId();
final String accountName = cmd.getAccountName();
final Long projectId = cmd.getProjectId();
final Long domainId = cmd.getDomainId();
final String startIPv6 = cmd.getStartIpv6();
String endIPv6 = cmd.getEndIpv6();
final String ip6Gateway = cmd.getIp6Gateway();
final String ip6Cidr = cmd.getIp6Cidr();
Account vlanOwner = null;
final boolean ipv4 = startIP != null;
final boolean ipv6 = startIPv6 != null;
if (!ipv4 && !ipv6) {
throw new InvalidParameterValueException("StartIP or StartIPv6 is missing in the parameters!");
}
if (ipv4) {
// if end ip is not specified, default it to startIp
if (endIP == null && startIP != null) {
endIP = startIP;
}
}
if (ipv6) {
// if end ip is not specified, default it to startIp
if (endIPv6 == null && startIPv6 != null) {
endIPv6 = startIPv6;
}
}
if (projectId != null) {
if (accountName != null) {
throw new InvalidParameterValueException("Account and projectId are mutually exclusive");
}
final Project project = _projectMgr.getProject(projectId);
if (project == null) {
throw new InvalidParameterValueException("Unable to find project by id " + projectId);
}
vlanOwner = _accountMgr.getAccount(project.getProjectAccountId());
if (vlanOwner == null) {
throw new InvalidParameterValueException("Please specify a valid projectId");
}
}
Domain domain = null;
if (accountName != null && domainId != null) {
vlanOwner = _accountDao.findActiveAccount(accountName, domainId);
if (vlanOwner == null) {
throw new InvalidParameterValueException("Please specify a valid account.");
} else if (vlanOwner.getId() == Account.ACCOUNT_ID_SYSTEM) {
// by default vlan is dedicated to system account
vlanOwner = null;
}
} else if (domainId != null) {
domain = _domainDao.findById(domainId);
if (domain == null) {
throw new InvalidParameterValueException("Please specify a valid domain id");
}
}
// Verify that network exists
Network network = null;
if (networkId != null) {
network = _networkDao.findById(networkId);
if (network == null) {
throw new InvalidParameterValueException("Unable to find network by id " + networkId);
} else {
zoneId = network.getDataCenterId();
physicalNetworkId = network.getPhysicalNetworkId();
}
} else if (ipv6) {
throw new InvalidParameterValueException("Only support IPv6 on extending existed network");
}
// Verify that zone exists
final DataCenterVO zone = _zoneDao.findById(zoneId);
if (zone == null) {
throw new InvalidParameterValueException("Unable to find zone by id " + zoneId);
}
if (ipv6) {
if (network.getGuestType() != GuestType.Shared) {
throw new InvalidParameterValueException("Only support IPv6 on extending existed share network without SG");
}
}
// verify that physical network exists
final PhysicalNetworkVO pNtwk;
if (physicalNetworkId != null) {
pNtwk = _physicalNetworkDao.findById(physicalNetworkId);
if (pNtwk == null) {
throw new InvalidParameterValueException("Unable to find Physical Network with id=" + physicalNetworkId);
}
if (zoneId == null) {
zoneId = pNtwk.getDataCenterId();
}
} else {
if (zoneId == null) {
throw new InvalidParameterValueException("");
}
// deduce physicalNetworkFrom Zone or Network.
if (network != null && network.getPhysicalNetworkId() != null) {
physicalNetworkId = network.getPhysicalNetworkId();
} else {
if (forVirtualNetwork) {
// default physical network with public traffic in the zone
physicalNetworkId = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Public).getId();
} else {
if (zone.getNetworkType() == NetworkType.Basic) {
// default physical network with guest traffic in the
// zone
physicalNetworkId = _networkModel.getDefaultPhysicalNetworkByZoneAndTrafficType(zoneId, TrafficType.Guest).getId();
} else if (zone.getNetworkType() == NetworkType.Advanced) {
throw new InvalidParameterValueException("Physical Network Id is null, please provide the Network id for Direct vlan creation ");
}
}
}
}
// Check if zone is enabled
final Account caller = CallContext.current().getCallingAccount();
if (AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
}
// Untagged, try to locate default networks
if (forVirtualNetwork) {
if (network == null) {
// find default public network in the zone
networkId = _networkModel.getSystemNetworkByZoneAndTrafficType(zoneId, TrafficType.Public).getId();
network = _networkModel.getNetwork(networkId);
} else if (network.getGuestType() != null || network.getTrafficType() != TrafficType.Public) {
throw new InvalidParameterValueException("Can't find Public network by id=" + networkId);
}
} else {
if (network == null) {
if (zone.getNetworkType() == NetworkType.Basic) {
networkId = _networkModel.getExclusiveGuestNetwork(zoneId).getId();
network = _networkModel.getNetwork(networkId);
}
} else if (network.getGuestType() == null || network.getGuestType() == GuestType.Isolated && _ntwkOffServiceMapDao.areServicesSupportedByNetworkOffering(network.getNetworkOfferingId(), Service.SourceNat)) {
throw new InvalidParameterValueException("Can't create direct vlan for network id=" + networkId + " with type: " + network.getGuestType());
}
}
Pair<Boolean, Pair<String, String>> sameSubnet = null;
// Can add vlan range only to the network which allows it
if (!network.getSpecifyIpRanges()) {
throw new InvalidParameterValueException("Network " + network + " doesn't support adding ip ranges");
}
if (zone.getNetworkType() == NetworkType.Advanced) {
if (network.getTrafficType() == TrafficType.Guest) {
if (network.getGuestType() != GuestType.Shared) {
throw new InvalidParameterValueException("Can execute createVLANIpRanges on shared guest network, but type of this guest network " + network.getId() + " is " + network.getGuestType());
}
final List<VlanVO> vlans = _vlanDao.listVlansByNetworkId(network.getId());
if (vlans != null && vlans.size() > 0) {
final VlanVO vlan = vlans.get(0);
if (vlanId == null || vlanId.contains(Vlan.UNTAGGED)) {
vlanId = vlan.getVlanTag();
} else if (!NetUtils.isSameIsolationId(vlan.getVlanTag(), vlanId)) {
throw new InvalidParameterValueException("there is already one vlan " + vlan.getVlanTag() + " on network :" + +network.getId() + ", only one vlan is allowed on guest network");
}
}
sameSubnet = validateIpRange(startIP, endIP, newVlanGateway, newVlanNetmask, vlans, ipv4, ipv6, ip6Gateway, ip6Cidr, startIPv6, endIPv6, network);
}
} else if (network.getTrafficType() == TrafficType.Management) {
throw new InvalidParameterValueException("Cannot execute createVLANIpRanges on management network");
} else if (zone.getNetworkType() == NetworkType.Basic) {
final List<VlanVO> vlans = _vlanDao.listVlansByNetworkId(network.getId());
sameSubnet = validateIpRange(startIP, endIP, newVlanGateway, newVlanNetmask, vlans, ipv4, ipv6, ip6Gateway, ip6Cidr, startIPv6, endIPv6, network);
}
if (zoneId == null || ipv6 && (ip6Gateway == null || ip6Cidr == null)) {
throw new InvalidParameterValueException("Gateway, netmask and zoneId have to be passed in for virtual and direct untagged networks");
}
if (forVirtualNetwork) {
if (vlanOwner != null) {
final long accountIpRange = NetUtils.ip2Long(endIP) - NetUtils.ip2Long(startIP) + 1;
// check resource limits
_resourceLimitMgr.checkResourceLimit(vlanOwner, ResourceType.public_ip, accountIpRange);
}
}
// Check if the IP range overlaps with the private ip
if (ipv4) {
checkOverlapPrivateIpRange(zoneId, startIP, endIP);
}
return commitVlan(zoneId, podId, startIP, endIP, newVlanGateway, newVlanNetmask, vlanId, forVirtualNetwork, networkId, physicalNetworkId, startIPv6, endIPv6, ip6Gateway, ip6Cidr, domain, vlanOwner, network, sameSubnet);
}
Also used :
DataCenterVO(com.cloud.dc.DataCenterVO)
Account(com.cloud.legacymodel.user.Account)
Project(com.cloud.projects.Project)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
PhysicalNetwork(com.cloud.network.PhysicalNetwork)
Network(com.cloud.legacymodel.network.Network)
PhysicalNetworkVO(com.cloud.network.dao.PhysicalNetworkVO)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
Domain(com.cloud.legacymodel.domain.Domain)
VlanVO(com.cloud.dc.VlanVO)
Pair(com.cloud.legacymodel.utils.Pair)
ActionEvent(com.cloud.event.ActionEvent)
DB(com.cloud.utils.db.DB)
Example 5 with PermissionDeniedException
use of com.cloud.legacymodel.exceptions.PermissionDeniedException in project cosmic by MissionCriticalCloud.
the class ConfigurationManagerImpl method createPod.
@Override
@DB
public HostPodVO createPod(final long userId, final String podName, final long zoneId, final String gateway, final String cidr, final String startIp, String endIp, final String allocationStateStr, final boolean skipGatewayOverlapCheck) {
// Check if the zone is valid
if (!validZone(zoneId)) {
throw new InvalidParameterValueException("Please specify a valid zone.");
}
// Check if zone is disabled
final DataCenterVO zone = _zoneDao.findById(zoneId);
final Account account = CallContext.current().getCallingAccount();
if (AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(account.getId())) {
throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zoneId);
}
final String cidrAddress = getCidrAddress(cidr);
final int cidrSize = getCidrSize(cidr);
// end ip of the pod's cidr
if (startIp != null) {
if (endIp == null) {
endIp = NetUtils.getIpRangeEndIpFromCidr(cidrAddress, cidrSize);
}
}
// Validate new pod settings
checkPodAttributes(-1, podName, zoneId, gateway, cidr, startIp, endIp, allocationStateStr, true, skipGatewayOverlapCheck);
// Create the new pod in the database
final String ipRange;
if (startIp != null) {
ipRange = startIp + "-" + endIp;
} else {
throw new InvalidParameterValueException("Start ip is required parameter");
}
final HostPodVO podFinal = new HostPodVO(podName, zoneId, gateway, cidrAddress, cidrSize, ipRange);
final AllocationState allocationState;
if (allocationStateStr != null && !allocationStateStr.isEmpty()) {
allocationState = AllocationState.valueOf(allocationStateStr);
podFinal.setAllocationState(allocationState);
}
final String endIpFinal = endIp;
return Transaction.execute(new TransactionCallback<HostPodVO>() {
@Override
public HostPodVO doInTransaction(final TransactionStatus status) {
final HostPodVO pod = _podDao.persist(podFinal);
if (startIp != null) {
_zoneDao.addPrivateIpAddress(zoneId, pod.getId(), startIp, endIpFinal);
}
final String[] linkLocalIpRanges = getLinkLocalIPRange();
if (linkLocalIpRanges != null) {
_zoneDao.addLinkLocalIpAddress(zoneId, pod.getId(), linkLocalIpRanges[0], linkLocalIpRanges[1]);
}
return pod;
}
});
}
Also used :
DataCenterVO(com.cloud.dc.DataCenterVO)
Account(com.cloud.legacymodel.user.Account)
InvalidParameterValueException(com.cloud.legacymodel.exceptions.InvalidParameterValueException)
AllocationState(com.cloud.model.enumeration.AllocationState)
TransactionStatus(com.cloud.utils.db.TransactionStatus)
PermissionDeniedException(com.cloud.legacymodel.exceptions.PermissionDeniedException)
HostPodVO(com.cloud.dc.HostPodVO)
DB(com.cloud.utils.db.DB)
Aggregations
PermissionDeniedException (com.cloud.legacymodel.exceptions.PermissionDeniedException)73
Account (com.cloud.legacymodel.user.Account)64
InvalidParameterValueException (com.cloud.legacymodel.exceptions.InvalidParameterValueException)59
ActionEvent (com.cloud.event.ActionEvent)26
CloudRuntimeException (com.cloud.legacymodel.exceptions.CloudRuntimeException)25
ArrayList (java.util.ArrayList)14
UserAccount (com.cloud.legacymodel.user.UserAccount)13
DB (com.cloud.utils.db.DB)13
DataCenterVO (com.cloud.dc.DataCenterVO)11
HashMap (java.util.HashMap)11
DomainVO (com.cloud.domain.DomainVO)9
ResourceUnavailableException (com.cloud.legacymodel.exceptions.ResourceUnavailableException)9
Project (com.cloud.projects.Project)9
InsufficientCapacityException (com.cloud.legacymodel.exceptions.InsufficientCapacityException)8
Pair (com.cloud.legacymodel.utils.Pair)8
VMTemplateVO (com.cloud.storage.VMTemplateVO)8
TransactionStatus (com.cloud.utils.db.TransactionStatus)8
List (java.util.List)8
Domain (com.cloud.legacymodel.domain.Domain)7
VolumeVO (com.cloud.storage.VolumeVO)7
