Search in sources :

Example 1 with LaunchPermissionVO

use of com.cloud.storage.LaunchPermissionVO in project cloudstack by apache.

the class TemplateManagerImpl method listTemplatePermissions.

@Override
public List<String> listTemplatePermissions(BaseListTemplateOrIsoPermissionsCmd cmd) {
    Account caller = CallContext.current().getCallingAccount();
    Long id = cmd.getId();
    if (id.equals(Long.valueOf(1))) {
        throw new PermissionDeniedException("unable to list permissions for " + cmd.getMediaType() + " with id " + id);
    }
    VirtualMachineTemplate template = _tmpltDao.findById(id);
    if (template == null) {
        throw new InvalidParameterValueException("unable to find " + cmd.getMediaType() + " with id " + id);
    }
    if (cmd instanceof ListTemplatePermissionsCmd) {
        if (template.getFormat().equals(ImageFormat.ISO)) {
            throw new InvalidParameterValueException("Please provide a valid template");
        }
    } else if (cmd instanceof ListIsoPermissionsCmd) {
        if (!template.getFormat().equals(ImageFormat.ISO)) {
            throw new InvalidParameterValueException("Please provide a valid iso");
        }
    }
    if (!template.isPublicTemplate()) {
        _accountMgr.checkAccess(caller, null, true, template);
    }
    List<String> accountNames = new ArrayList<String>();
    List<LaunchPermissionVO> permissions = _launchPermissionDao.findByTemplate(id);
    if ((permissions != null) && !permissions.isEmpty()) {
        for (LaunchPermissionVO permission : permissions) {
            Account acct = _accountDao.findById(permission.getAccountId());
            accountNames.add(acct.getAccountName());
        }
    }
    // also add the owner if not public
    if (!template.isPublicTemplate()) {
        Account templateOwner = _accountDao.findById(template.getAccountId());
        accountNames.add(templateOwner.getAccountName());
    }
    return accountNames;
}
Also used : Account(com.cloud.user.Account) ListTemplatePermissionsCmd(org.apache.cloudstack.api.command.user.template.ListTemplatePermissionsCmd) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) ArrayList(java.util.ArrayList) ListIsoPermissionsCmd(org.apache.cloudstack.api.command.user.iso.ListIsoPermissionsCmd) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO)

Example 2 with LaunchPermissionVO

use of com.cloud.storage.LaunchPermissionVO in project cloudstack by apache.

the class DomainChecker method checkAccess.

@Override
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType) throws PermissionDeniedException {
    if (entity instanceof VirtualMachineTemplate) {
        VirtualMachineTemplate template = (VirtualMachineTemplate) entity;
        Account owner = _accountDao.findById(template.getAccountId());
        // validate that the template is usable by the account
        if (!template.isPublicTemplate()) {
            if (_accountService.isRootAdmin(caller.getId()) || (owner.getId() == caller.getId())) {
                return true;
            }
            //special handling for the project case
            if (owner.getType() == Account.ACCOUNT_TYPE_PROJECT && _projectMgr.canAccessProjectAccount(caller, owner.getId())) {
                return true;
            }
            // since the current account is not the owner of the template, check the launch permissions table to see if the
            // account can launch a VM from this template
            LaunchPermissionVO permission = _launchPermissionDao.findByTemplateAndAccount(template.getId(), caller.getId());
            if (permission == null) {
                throw new PermissionDeniedException(caller + " does not have permission to launch instances from " + template);
            }
        } else {
            // Domain admin and regular user can delete/modify only templates created by them
            if (accessType != null && accessType == AccessType.OperateEntry) {
                if (!_accountService.isRootAdmin(caller.getId()) && owner.getId() != caller.getId()) {
                    // For projects check if the caller account can access the project account
                    if (owner.getType() != Account.ACCOUNT_TYPE_PROJECT || !(_projectMgr.canAccessProjectAccount(caller, owner.getId()))) {
                        throw new PermissionDeniedException("Domain Admin and regular users can modify only their own Public templates");
                    }
                }
            }
        }
        return true;
    } else if (entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) {
        _networkMgr.checkNetworkPermissions(caller, (Network) entity);
    } else if (entity instanceof AffinityGroup) {
        return false;
    } else {
        if (_accountService.isNormalUser(caller.getId())) {
            Account account = _accountDao.findById(entity.getAccountId());
            if (account != null && account.getType() == Account.ACCOUNT_TYPE_PROJECT) {
                //only project owner can delete/modify the project
                if (accessType != null && accessType == AccessType.ModifyProject) {
                    if (!_projectMgr.canModifyProjectAccount(caller, account.getId())) {
                        throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                    }
                } else if (!_projectMgr.canAccessProjectAccount(caller, account.getId())) {
                    throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                }
            } else {
                if (caller.getId() != entity.getAccountId()) {
                    throw new PermissionDeniedException(caller + " does not have permission to operate with resource " + entity);
                }
            }
        }
    }
    return true;
}
Also used : Account(com.cloud.user.Account) VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate) Network(com.cloud.network.Network) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) AffinityGroup(org.apache.cloudstack.affinity.AffinityGroup) LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO)

Example 3 with LaunchPermissionVO

use of com.cloud.storage.LaunchPermissionVO in project cloudstack by apache.

the class TemplateManagerImpl method updateTemplateOrIsoPermissions.

@DB
@Override
public boolean updateTemplateOrIsoPermissions(BaseUpdateTemplateOrIsoPermissionsCmd cmd) {
    // Input validation
    final Long id = cmd.getId();
    final Account caller = CallContext.current().getCallingAccount();
    List<String> accountNames = cmd.getAccountNames();
    List<Long> projectIds = cmd.getProjectIds();
    Boolean isFeatured = cmd.isFeatured();
    Boolean isPublic = cmd.isPublic();
    Boolean isExtractable = cmd.isExtractable();
    String operation = cmd.getOperation();
    String mediaType = "";
    VMTemplateVO template = _tmpltDao.findById(id);
    if (template == null) {
        throw new InvalidParameterValueException("unable to find " + mediaType + " with id " + id);
    }
    if (cmd instanceof UpdateTemplatePermissionsCmd) {
        mediaType = "template";
        if (template.getFormat().equals(ImageFormat.ISO)) {
            throw new InvalidParameterValueException("Please provide a valid template");
        }
    }
    if (cmd instanceof UpdateIsoPermissionsCmd) {
        mediaType = "iso";
        if (!template.getFormat().equals(ImageFormat.ISO)) {
            throw new InvalidParameterValueException("Please provide a valid iso");
        }
    }
    // convert projectIds to accountNames
    if (projectIds != null) {
        // CS-17842, initialize accountNames list
        if (accountNames == null) {
            accountNames = new ArrayList<String>();
        }
        for (Long projectId : projectIds) {
            Project project = _projectMgr.getProject(projectId);
            if (project == null) {
                throw new InvalidParameterValueException("Unable to find project by id " + projectId);
            }
            if (!_projectMgr.canAccessProjectAccount(caller, project.getProjectAccountId())) {
                throw new InvalidParameterValueException("Account " + caller + " can't access project id=" + projectId);
            }
            accountNames.add(_accountMgr.getAccount(project.getProjectAccountId()).getAccountName());
        }
    }
    //_accountMgr.checkAccess(caller, AccessType.ModifyEntry, true, template);
    //TODO: should we replace all ModifyEntry as OperateEntry?
    _accountMgr.checkAccess(caller, AccessType.OperateEntry, true, template);
    // If the template is removed throw an error.
    if (template.getRemoved() != null) {
        s_logger.error("unable to update permissions for " + mediaType + " with id " + id + " as it is removed  ");
        throw new InvalidParameterValueException("unable to update permissions for " + mediaType + " with id " + id + " as it is removed ");
    }
    if (id.equals(Long.valueOf(1))) {
        throw new InvalidParameterValueException("unable to update permissions for " + mediaType + " with id " + id);
    }
    boolean isAdmin = _accountMgr.isAdmin(caller.getId());
    // check configuration parameter(allow.public.user.templates) value for
    // the template owner
    boolean allowPublicUserTemplates = AllowPublicUserTemplates.valueIn(template.getAccountId());
    if (!isAdmin && !allowPublicUserTemplates && isPublic != null && isPublic) {
        throw new InvalidParameterValueException("Only private " + mediaType + "s can be created.");
    }
    if (accountNames != null) {
        if ((operation == null) || (!operation.equalsIgnoreCase("add") && !operation.equalsIgnoreCase("remove") && !operation.equalsIgnoreCase("reset"))) {
            throw new InvalidParameterValueException("Invalid operation on accounts, the operation must be either 'add' or 'remove' in order to modify launch permissions." + "  Given operation is: '" + operation + "'");
        }
    }
    Long ownerId = template.getAccountId();
    if (ownerId == null) {
        // publishing to individual users is irrelevant
        throw new InvalidParameterValueException("Update template permissions is an invalid operation on template " + template.getName());
    }
    //Only admin or owner of the template should be able to change its permissions
    if (caller.getId() != ownerId && !isAdmin) {
        throw new InvalidParameterValueException("Unable to grant permission to account " + caller.getAccountName() + " as it is neither admin nor owner or the template");
    }
    VMTemplateVO updatedTemplate = _tmpltDao.createForUpdate();
    if (isPublic != null) {
        updatedTemplate.setPublicTemplate(isPublic.booleanValue());
    }
    if (isFeatured != null) {
        updatedTemplate.setFeatured(isFeatured.booleanValue());
    }
    if (isExtractable != null) {
        // Only Root admins allowed to change it for templates
        if (!template.getFormat().equals(ImageFormat.ISO) && !_accountMgr.isRootAdmin(caller.getId())) {
            throw new InvalidParameterValueException("Only ROOT admins are allowed to modify isExtractable attribute.");
        } else {
            // For Isos normal user can change it, as their are no derivatives.
            updatedTemplate.setExtractable(isExtractable.booleanValue());
        }
    }
    _tmpltDao.update(template.getId(), updatedTemplate);
    //when operation is add/remove, accountNames can not be null
    if (("add".equalsIgnoreCase(operation) || "remove".equalsIgnoreCase(operation)) && accountNames == null) {
        throw new InvalidParameterValueException("Operation " + operation + " requires accounts or projectIds to be passed in");
    }
    //Derive the domain id from the template owner as updateTemplatePermissions is not cross domain operation
    Account owner = _accountMgr.getAccount(ownerId);
    final Domain domain = _domainDao.findById(owner.getDomainId());
    if ("add".equalsIgnoreCase(operation)) {
        final List<String> accountNamesFinal = accountNames;
        final List<Long> accountIds = new ArrayList<Long>();
        Transaction.execute(new TransactionCallbackNoReturn() {

            @Override
            public void doInTransactionWithoutResult(TransactionStatus status) {
                for (String accountName : accountNamesFinal) {
                    Account permittedAccount = _accountDao.findActiveAccount(accountName, domain.getId());
                    if (permittedAccount != null) {
                        if (permittedAccount.getId() == caller.getId()) {
                            // don't grant permission to the template
                            continue;
                        // owner, they implicitly have permission
                        }
                        accountIds.add(permittedAccount.getId());
                        LaunchPermissionVO existingPermission = _launchPermissionDao.findByTemplateAndAccount(id, permittedAccount.getId());
                        if (existingPermission == null) {
                            LaunchPermissionVO launchPermission = new LaunchPermissionVO(id, permittedAccount.getId());
                            _launchPermissionDao.persist(launchPermission);
                        }
                    } else {
                        throw new InvalidParameterValueException("Unable to grant a launch permission to account " + accountName + " in domain id=" + domain.getUuid() + ", account not found.  " + "No permissions updated, please verify the account names and retry.");
                    }
                }
            }
        });
        // add ACL permission in IAM
        Map<String, Object> permit = new HashMap<String, Object>();
        permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
        permit.put(ApiConstants.ENTITY_ID, id);
        permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
        permit.put(ApiConstants.IAM_ACTION, "listTemplates");
        permit.put(ApiConstants.ACCOUNTS, accountIds);
        _messageBus.publish(_name, EntityManager.MESSAGE_GRANT_ENTITY_EVENT, PublishScope.LOCAL, permit);
    } else if ("remove".equalsIgnoreCase(operation)) {
        List<Long> accountIds = new ArrayList<Long>();
        for (String accountName : accountNames) {
            Account permittedAccount = _accountDao.findActiveAccount(accountName, domain.getId());
            if (permittedAccount != null) {
                accountIds.add(permittedAccount.getId());
            }
        }
        _launchPermissionDao.removePermissions(id, accountIds);
        // remove ACL permission in IAM
        Map<String, Object> permit = new HashMap<String, Object>();
        permit.put(ApiConstants.ENTITY_TYPE, VirtualMachineTemplate.class);
        permit.put(ApiConstants.ENTITY_ID, id);
        permit.put(ApiConstants.ACCESS_TYPE, AccessType.UseEntry);
        permit.put(ApiConstants.IAM_ACTION, "listTemplates");
        permit.put(ApiConstants.ACCOUNTS, accountIds);
        _messageBus.publish(_name, EntityManager.MESSAGE_REVOKE_ENTITY_EVENT, PublishScope.LOCAL, permit);
    } else if ("reset".equalsIgnoreCase(operation)) {
        // do we care whether the owning account is an admin? if the
        // owner is an admin, will we still set public to false?
        updatedTemplate = _tmpltDao.createForUpdate();
        updatedTemplate.setPublicTemplate(false);
        updatedTemplate.setFeatured(false);
        _tmpltDao.update(template.getId(), updatedTemplate);
        _launchPermissionDao.removeAllPermissions(id);
        _messageBus.publish(_name, TemplateManager.MESSAGE_RESET_TEMPLATE_PERMISSION_EVENT, PublishScope.LOCAL, template.getId());
    }
    return true;
}
Also used : Account(com.cloud.user.Account) HashMap(java.util.HashMap) VMTemplateVO(com.cloud.storage.VMTemplateVO) ArrayList(java.util.ArrayList) TransactionStatus(com.cloud.utils.db.TransactionStatus) TransactionCallbackNoReturn(com.cloud.utils.db.TransactionCallbackNoReturn) UpdateTemplatePermissionsCmd(org.apache.cloudstack.api.command.user.template.UpdateTemplatePermissionsCmd) LaunchPermissionVO(com.cloud.storage.LaunchPermissionVO) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) UpdateIsoPermissionsCmd(org.apache.cloudstack.api.command.user.iso.UpdateIsoPermissionsCmd) ArrayList(java.util.ArrayList) List(java.util.List) Project(com.cloud.projects.Project) Domain(com.cloud.domain.Domain) Map(java.util.Map) HashMap(java.util.HashMap) DB(com.cloud.utils.db.DB)

Aggregations

LaunchPermissionVO (com.cloud.storage.LaunchPermissionVO)3 Account (com.cloud.user.Account)3 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)2 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2 ArrayList (java.util.ArrayList)2 Domain (com.cloud.domain.Domain)1 Network (com.cloud.network.Network)1 Project (com.cloud.projects.Project)1 VMTemplateVO (com.cloud.storage.VMTemplateVO)1 VirtualMachineTemplate (com.cloud.template.VirtualMachineTemplate)1 DB (com.cloud.utils.db.DB)1 TransactionCallbackNoReturn (com.cloud.utils.db.TransactionCallbackNoReturn)1 TransactionStatus (com.cloud.utils.db.TransactionStatus)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1 AffinityGroup (org.apache.cloudstack.affinity.AffinityGroup)1 ListIsoPermissionsCmd (org.apache.cloudstack.api.command.user.iso.ListIsoPermissionsCmd)1 UpdateIsoPermissionsCmd (org.apache.cloudstack.api.command.user.iso.UpdateIsoPermissionsCmd)1 ListTemplatePermissionsCmd (org.apache.cloudstack.api.command.user.template.ListTemplatePermissionsCmd)1