Search in sources :

Example 1 with ACLType

use of org.apache.cloudstack.acl.ControlledEntity.ACLType in project cloudstack by apache.

the class AffinityGroupServiceImpl method createAffinityGroup.

@DB
@Override
public AffinityGroup createAffinityGroup(final String accountName, final Long projectId, final Long domainId, final String affinityGroupName, final String affinityGroupType, final String description) {
    // validate the affinityGroupType
    Map<String, AffinityGroupProcessor> typeProcessorMap = getAffinityTypeToProcessorMap();
    if (typeProcessorMap == null || typeProcessorMap.isEmpty()) {
        throw new InvalidParameterValueException("Unable to create affinity group, no Affinity Group Types configured");
    }
    AffinityGroupProcessor processor = typeProcessorMap.get(affinityGroupType);
    if (processor == null) {
        throw new InvalidParameterValueException("Unable to create affinity group, invalid affinity group type" + affinityGroupType);
    }
    Account caller = CallContext.current().getCallingAccount();
    if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) {
        throw new PermissionDeniedException("Cannot create the affinity group");
    }
    ControlledEntity.ACLType aclType = null;
    Account owner = null;
    boolean domainLevel = false;
    if (projectId == null && domainId != null && accountName == null) {
        verifyAccessToDomainWideProcessor(caller, processor);
        DomainVO domain = getDomain(domainId);
        _accountMgr.checkAccess(caller, domain);
        // domain level group, owner is SYSTEM.
        owner = _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM);
        aclType = ControlledEntity.ACLType.Domain;
        domainLevel = true;
    } else {
        owner = _accountMgr.finalizeOwner(caller, accountName, domainId, projectId);
        aclType = ControlledEntity.ACLType.Account;
    }
    verifyAffinityGroupNameInUse(owner.getAccountId(), owner.getDomainId(), affinityGroupName);
    verifyDomainLevelAffinityGroupName(domainLevel, owner.getDomainId(), affinityGroupName);
    AffinityGroupVO group = createAffinityGroup(processor, owner, aclType, affinityGroupName, affinityGroupType, description, domainLevel, domainId);
    if (s_logger.isDebugEnabled()) {
        s_logger.debug("Created affinity group =" + affinityGroupName);
    }
    return group;
}
Also used : Account(com.cloud.user.Account) DomainVO(com.cloud.domain.DomainVO) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) ACLType(org.apache.cloudstack.acl.ControlledEntity.ACLType) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) DB(com.cloud.utils.db.DB)

Example 2 with ACLType

use of org.apache.cloudstack.acl.ControlledEntity.ACLType in project cloudstack by apache.

the class NetworkServiceImpl method createGuestNetwork.

@Override
@DB
@ActionEvent(eventType = EventTypes.EVENT_NETWORK_CREATE, eventDescription = "creating network")
public Network createGuestNetwork(CreateNetworkCmd cmd) throws InsufficientCapacityException, ConcurrentOperationException, ResourceAllocationException {
    Long networkOfferingId = cmd.getNetworkOfferingId();
    String gateway = cmd.getGateway();
    String startIP = cmd.getStartIp();
    String endIP = cmd.getEndIp();
    String netmask = cmd.getNetmask();
    String networkDomain = cmd.getNetworkDomain();
    String vlanId = null;
    boolean bypassVlanOverlapCheck = false;
    boolean hideIpAddressUsage = false;
    String routerIp = null;
    String routerIpv6 = null;
    if (cmd instanceof CreateNetworkCmdByAdmin) {
        vlanId = ((CreateNetworkCmdByAdmin) cmd).getVlan();
        bypassVlanOverlapCheck = ((CreateNetworkCmdByAdmin) cmd).getBypassVlanOverlapCheck();
        hideIpAddressUsage = ((CreateNetworkCmdByAdmin) cmd).getHideIpAddressUsage();
        routerIp = ((CreateNetworkCmdByAdmin) cmd).getRouterIp();
        routerIpv6 = ((CreateNetworkCmdByAdmin) cmd).getRouterIpv6();
    }
    String name = cmd.getNetworkName();
    String displayText = cmd.getDisplayText();
    Account caller = CallContext.current().getCallingAccount();
    Long physicalNetworkId = cmd.getPhysicalNetworkId();
    Long zoneId = cmd.getZoneId();
    String aclTypeStr = cmd.getAclType();
    Long domainId = cmd.getDomainId();
    boolean isDomainSpecific = false;
    Boolean subdomainAccess = cmd.getSubdomainAccess();
    Long vpcId = cmd.getVpcId();
    String startIPv6 = cmd.getStartIpv6();
    String endIPv6 = cmd.getEndIpv6();
    String ip6Gateway = cmd.getIp6Gateway();
    String ip6Cidr = cmd.getIp6Cidr();
    Boolean displayNetwork = cmd.getDisplayNetwork();
    Long aclId = cmd.getAclId();
    String isolatedPvlan = cmd.getIsolatedPvlan();
    String externalId = cmd.getExternalId();
    String isolatedPvlanType = cmd.getIsolatedPvlanType();
    // Validate network offering
    NetworkOfferingVO ntwkOff = _networkOfferingDao.findById(networkOfferingId);
    if (ntwkOff == null || ntwkOff.isSystemOnly()) {
        InvalidParameterValueException ex = new InvalidParameterValueException("Unable to find network offering by specified id");
        if (ntwkOff != null) {
            ex.addProxyObject(ntwkOff.getUuid(), "networkOfferingId");
        }
        throw ex;
    }
    Account owner = null;
    if ((cmd.getAccountName() != null && domainId != null) || cmd.getProjectId() != null) {
        owner = _accountMgr.finalizeOwner(caller, cmd.getAccountName(), domainId, cmd.getProjectId());
    } else {
        owner = caller;
    }
    // validate physical network and zone
    // Check if physical network exists
    PhysicalNetwork pNtwk = null;
    if (physicalNetworkId != null) {
        pNtwk = _physicalNetworkDao.findById(physicalNetworkId);
        if (pNtwk == null) {
            throw new InvalidParameterValueException("Unable to find a physical network having the specified physical network id");
        }
    }
    if (zoneId == null) {
        zoneId = pNtwk.getDataCenterId();
    }
    if (displayNetwork == null) {
        displayNetwork = true;
    }
    DataCenter zone = _dcDao.findById(zoneId);
    if (zone == null) {
        throw new InvalidParameterValueException("Specified zone id was not found");
    }
    _accountMgr.checkAccess(owner, ntwkOff, zone);
    if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) {
        // See DataCenterVO.java
        PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation since specified Zone is currently disabled");
        ex.addProxyObject(zone.getUuid(), "zoneId");
        throw ex;
    }
    // Only domain and account ACL types are supported in Acton.
    ACLType aclType = null;
    if (aclTypeStr != null) {
        if (aclTypeStr.equalsIgnoreCase(ACLType.Account.toString())) {
            aclType = ACLType.Account;
        } else if (aclTypeStr.equalsIgnoreCase(ACLType.Domain.toString())) {
            aclType = ACLType.Domain;
        } else {
            throw new InvalidParameterValueException("Incorrect aclType specified. Check the API documentation for supported types");
        }
        // In 3.0 all Shared networks should have aclType == Domain, all Isolated networks aclType==Account
        if (ntwkOff.getGuestType() == GuestType.Isolated) {
            if (aclType != ACLType.Account) {
                throw new InvalidParameterValueException("AclType should be " + ACLType.Account + " for network of type " + Network.GuestType.Isolated);
            }
        } else if (ntwkOff.getGuestType() == GuestType.Shared) {
            if (!(aclType == ACLType.Domain || aclType == ACLType.Account)) {
                throw new InvalidParameterValueException("AclType should be " + ACLType.Domain + " or " + ACLType.Account + " for network of type " + Network.GuestType.Shared);
            }
        }
    } else {
        if (ntwkOff.getGuestType() == GuestType.Isolated || ntwkOff.getGuestType() == GuestType.L2) {
            aclType = ACLType.Account;
        } else if (ntwkOff.getGuestType() == GuestType.Shared) {
            aclType = ACLType.Domain;
        }
    }
    // Only Admin can create Shared networks
    if ((ntwkOff.getGuestType() == GuestType.Shared) && !_accountMgr.isAdmin(caller.getId())) {
        throw new InvalidParameterValueException("Only Admins can create network with guest type " + GuestType.Shared);
    }
    if (ntwkOff.getGuestType() != GuestType.Shared && (!StringUtils.isAllBlank(routerIp, routerIpv6))) {
        throw new InvalidParameterValueException("Router IP can be specified only for Shared networks");
    }
    if (ntwkOff.getGuestType() == GuestType.Shared && !_networkModel.isProviderForNetworkOffering(Provider.VirtualRouter, networkOfferingId) && (!StringUtils.isAllBlank(routerIp, routerIpv6))) {
        throw new InvalidParameterValueException("Virtual Router is not a supported provider for the Shared network, hence router ip should not be provided");
    }
    // Check if the network is domain specific
    if (aclType == ACLType.Domain) {
        // only Admin can create domain with aclType=Domain
        if (!_accountMgr.isAdmin(caller.getId())) {
            throw new PermissionDeniedException("Only admin can create networks with aclType=Domain");
        }
        // only shared networks can be Domain specific
        if (ntwkOff.getGuestType() != GuestType.Shared) {
            throw new InvalidParameterValueException("Only " + GuestType.Shared + " networks can have aclType=" + ACLType.Domain);
        }
        if (domainId != null) {
            if (ntwkOff.getTrafficType() != TrafficType.Guest || ntwkOff.getGuestType() != Network.GuestType.Shared) {
                throw new InvalidParameterValueException("Domain level networks are supported just for traffic type " + TrafficType.Guest + " and guest type " + Network.GuestType.Shared);
            }
            DomainVO domain = _domainDao.findById(domainId);
            if (domain == null) {
                throw new InvalidParameterValueException("Unable to find domain by specified id");
            }
            _accountMgr.checkAccess(caller, domain);
        }
        isDomainSpecific = true;
    } else if (subdomainAccess != null) {
        throw new InvalidParameterValueException("Parameter subDomainAccess can be specified only with aclType=Domain");
    }
    if (aclType == ACLType.Domain) {
        owner = _accountDao.findById(Account.ACCOUNT_ID_SYSTEM);
    }
    // The network name is unique under the account
    if (!AllowDuplicateNetworkName.valueIn(owner.getAccountId())) {
        List<NetworkVO> existingNetwork = _networksDao.listByAccountIdNetworkName(owner.getId(), name);
        if (!existingNetwork.isEmpty()) {
            throw new InvalidParameterValueException("Another network with same name already exists within account: " + owner.getAccountName());
        }
    }
    boolean ipv4 = false, ipv6 = false;
    if (org.apache.commons.lang3.StringUtils.isNoneBlank(gateway, netmask)) {
        ipv4 = true;
    }
    if (StringUtils.isNoneBlank(ip6Cidr, ip6Gateway)) {
        ipv6 = true;
    }
    if (gateway != null) {
        try {
            // getByName on a literal representation will only check validity of the address
            // http://docs.oracle.com/javase/6/docs/api/java/net/InetAddress.html#getByName(java.lang.String)
            InetAddress gatewayAddress = InetAddress.getByName(gateway);
            if (gatewayAddress instanceof Inet6Address) {
                ipv6 = true;
            } else {
                ipv4 = true;
            }
        } catch (UnknownHostException e) {
            s_logger.error("Unable to convert gateway IP to a InetAddress", e);
            throw new InvalidParameterValueException("Gateway parameter is invalid");
        }
    }
    // Start and end IP address are mandatory for shared networks.
    if (ntwkOff.getGuestType() == GuestType.Shared && vpcId == null) {
        if (!AllowEmptyStartEndIpAddress.valueIn(owner.getAccountId()) && (startIP == null && endIP == null) && (startIPv6 == null && endIPv6 == null)) {
            throw new InvalidParameterValueException("Either IPv4 or IPv6 start and end address are mandatory");
        }
    }
    String cidr = null;
    if (ipv4) {
        // if end ip is not specified, default it to startIp
        if (startIP != null) {
            if (!NetUtils.isValidIp4(startIP)) {
                throw new InvalidParameterValueException("Invalid format for the startIp parameter");
            }
            if (endIP == null) {
                endIP = startIP;
            } else if (!NetUtils.isValidIp4(endIP)) {
                throw new InvalidParameterValueException("Invalid format for the endIp parameter");
            }
            if (!(gateway != null && netmask != null)) {
                throw new InvalidParameterValueException("gateway and netmask should be defined when startIP/endIP are passed in");
            }
        }
        if (gateway != null && netmask != null) {
            if (NetUtils.isNetworkorBroadcastIP(gateway, netmask)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("The gateway IP provided is " + gateway + " and netmask is " + netmask + ". The IP is either broadcast or network IP.");
                }
                throw new InvalidParameterValueException("Invalid gateway IP provided. Either the IP is broadcast or network IP.");
            }
            if (!NetUtils.isValidIp4(gateway)) {
                throw new InvalidParameterValueException("Invalid gateway");
            }
            if (!NetUtils.isValidIp4Netmask(netmask)) {
                throw new InvalidParameterValueException("Invalid netmask");
            }
            cidr = NetUtils.ipAndNetMaskToCidr(gateway, netmask);
        }
    }
    if (ipv6) {
        if (endIPv6 == null) {
            endIPv6 = startIPv6;
        }
        _networkModel.checkIp6Parameters(startIPv6, endIPv6, ip6Gateway, ip6Cidr);
        if (zone.getNetworkType() != NetworkType.Advanced || ntwkOff.getGuestType() != Network.GuestType.Shared) {
            throw new InvalidParameterValueException("Can only support create IPv6 network with advance shared network!");
        }
        if (StringUtils.isAllBlank(zone.getIp6Dns1(), zone.getIp6Dns2())) {
            throw new InvalidParameterValueException("Can only create IPv6 network if the zone has IPv6 DNS! Please configure the zone IPv6 DNS1 and/or IPv6 DNS2.");
        }
        if (!ipv4 && ntwkOff.getGuestType() == GuestType.Shared && _networkModel.isProviderForNetworkOffering(Provider.VirtualRouter, networkOfferingId)) {
            throw new InvalidParameterValueException("Currently IPv6-only Shared network with Virtual Router provider is not supported.");
        }
    }
    validateRouterIps(routerIp, routerIpv6, startIP, endIP, gateway, netmask, startIPv6, endIPv6, ip6Cidr);
    if (StringUtils.isNotBlank(isolatedPvlan) && (zone.getNetworkType() != NetworkType.Advanced || ntwkOff.getGuestType() == GuestType.Isolated)) {
        throw new InvalidParameterValueException("Can only support create Private VLAN network with advanced shared or L2 network!");
    }
    if (StringUtils.isNotBlank(isolatedPvlan) && ipv6) {
        throw new InvalidParameterValueException("Can only support create Private VLAN network with IPv4!");
    }
    Pair<String, PVlanType> pvlanPair = getPrivateVlanPair(isolatedPvlan, isolatedPvlanType, vlanId);
    String secondaryVlanId = pvlanPair.first();
    PVlanType privateVlanType = pvlanPair.second();
    if ((StringUtils.isNotBlank(secondaryVlanId) || privateVlanType != null) && StringUtils.isBlank(vlanId)) {
        throw new InvalidParameterValueException("VLAN ID has to be set in order to configure a Private VLAN");
    }
    performBasicPrivateVlanChecks(vlanId, secondaryVlanId, privateVlanType);
    if (!_accountMgr.isRootAdmin(caller.getId())) {
        validateNetworkOfferingForNonRootAdminUser(ntwkOff);
    }
    // Don't allow to specify vlan if the caller is not ROOT admin
    if (!_accountMgr.isRootAdmin(caller.getId()) && (ntwkOff.isSpecifyVlan() || vlanId != null || bypassVlanOverlapCheck)) {
        throw new InvalidParameterValueException("Only ROOT admin is allowed to specify vlanId or bypass vlan overlap check");
    }
    if (ipv4) {
        // For non-root admins check cidr limit - if it's allowed by global config value
        if (!_accountMgr.isRootAdmin(caller.getId()) && cidr != null) {
            String[] cidrPair = cidr.split("\\/");
            int cidrSize = Integer.parseInt(cidrPair[1]);
            if (cidrSize < _cidrLimit) {
                throw new InvalidParameterValueException("Cidr size can't be less than " + _cidrLimit);
            }
        }
    }
    Collection<String> ntwkProviders = _networkMgr.finalizeServicesAndProvidersForNetwork(ntwkOff, physicalNetworkId).values();
    if (ipv6 && providersConfiguredForExternalNetworking(ntwkProviders)) {
        throw new InvalidParameterValueException("Cannot support IPv6 on network offering with external devices!");
    }
    if (StringUtils.isNotBlank(secondaryVlanId) && providersConfiguredForExternalNetworking(ntwkProviders)) {
        throw new InvalidParameterValueException("Cannot support private vlan on network offering with external devices!");
    }
    if (cidr != null && providersConfiguredForExternalNetworking(ntwkProviders)) {
        if (ntwkOff.getGuestType() == GuestType.Shared && (zone.getNetworkType() == NetworkType.Advanced) && isSharedNetworkOfferingWithServices(networkOfferingId)) {
            // validate if CIDR specified overlaps with any of the CIDR's allocated for isolated networks and shared networks in the zone
            checkSharedNetworkCidrOverlap(zoneId, pNtwk.getId(), cidr);
        } else {
            // if cidr is not null and network is not part of vpc then throw the exception
            if (vpcId == null) {
                throw new InvalidParameterValueException("Cannot specify CIDR when using network offering with external devices!");
            }
        }
    }
    // Vlan is created in 1 cases - works in Advance zone only:
    // 1) GuestType is Shared
    boolean createVlan = (startIP != null && endIP != null && zone.getNetworkType() == NetworkType.Advanced && ((ntwkOff.getGuestType() == Network.GuestType.Shared) || (ntwkOff.getGuestType() == GuestType.Isolated && !areServicesSupportedByNetworkOffering(ntwkOff.getId(), Service.SourceNat))));
    if (!createVlan) {
        // Only support advance shared network in IPv6, which means createVlan is a must
        if (ipv6) {
            createVlan = true;
        }
    }
    // Can add vlan range only to the network which allows it
    if (createVlan && !ntwkOff.isSpecifyIpRanges()) {
        throwInvalidIdException("Network offering with specified id doesn't support adding multiple ip ranges", ntwkOff.getUuid(), "networkOfferingId");
    }
    Network network = commitNetwork(networkOfferingId, gateway, startIP, endIP, netmask, networkDomain, vlanId, bypassVlanOverlapCheck, name, displayText, caller, physicalNetworkId, zoneId, domainId, isDomainSpecific, subdomainAccess, vpcId, startIPv6, endIPv6, ip6Gateway, ip6Cidr, displayNetwork, aclId, secondaryVlanId, privateVlanType, ntwkOff, pNtwk, aclType, owner, cidr, createVlan, externalId, routerIp, routerIpv6);
    if (hideIpAddressUsage) {
        _networkDetailsDao.persist(new NetworkDetailVO(network.getId(), Network.hideIpAddressUsage, String.valueOf(hideIpAddressUsage), false));
    }
    // if the network offering has persistent set to true, implement the network
    if (ntwkOff.isPersistent()) {
        try {
            DeployDestination dest = new DeployDestination(zone, null, null, null);
            UserVO callerUser = _userDao.findById(CallContext.current().getCallingUserId());
            Journal journal = new Journal.LogJournal("Implementing " + network, s_logger);
            ReservationContext context = new ReservationContextImpl(UUID.randomUUID().toString(), journal, callerUser, caller);
            s_logger.debug("Implementing network " + network + " as a part of network provision for persistent network");
            Pair<? extends NetworkGuru, ? extends Network> implementedNetwork = _networkMgr.implementNetwork(network.getId(), dest, context);
            if (implementedNetwork == null || implementedNetwork.first() == null) {
                s_logger.warn("Failed to provision the network " + network);
            }
            network = implementedNetwork.second();
        } catch (ResourceUnavailableException ex) {
            s_logger.warn("Failed to implement persistent guest network " + network + "due to ", ex);
            CloudRuntimeException e = new CloudRuntimeException("Failed to implement persistent guest network");
            e.addProxyObject(network.getUuid(), "networkId");
            throw e;
        }
    }
    return network;
}
Also used : Account(com.cloud.user.Account) CreateNetworkCmdByAdmin(org.apache.cloudstack.api.command.admin.network.CreateNetworkCmdByAdmin) PVlanType(com.cloud.network.Network.PVlanType) Journal(com.cloud.utils.Journal) ReservationContextImpl(com.cloud.vm.ReservationContextImpl) ReservationContext(com.cloud.vm.ReservationContext) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) NetworkDetailVO(com.cloud.network.dao.NetworkDetailVO) PhysicalNetworkVO(com.cloud.network.dao.PhysicalNetworkVO) NetworkVO(com.cloud.network.dao.NetworkVO) ACLType(org.apache.cloudstack.acl.ControlledEntity.ACLType) UnknownHostException(java.net.UnknownHostException) Inet6Address(java.net.Inet6Address) NetworkDomainVO(com.cloud.network.dao.NetworkDomainVO) DomainVO(com.cloud.domain.DomainVO) DataCenter(com.cloud.dc.DataCenter) UserVO(com.cloud.user.UserVO) DeployDestination(com.cloud.deploy.DeployDestination) ResourceUnavailableException(com.cloud.exception.ResourceUnavailableException) NetworkOfferingVO(com.cloud.offerings.NetworkOfferingVO) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) InetAddress(java.net.InetAddress) ActionEvent(com.cloud.event.ActionEvent) DB(com.cloud.utils.db.DB)

Aggregations

DomainVO (com.cloud.domain.DomainVO)2 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)2 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)2 Account (com.cloud.user.Account)2 DB (com.cloud.utils.db.DB)2 ACLType (org.apache.cloudstack.acl.ControlledEntity.ACLType)2 DataCenter (com.cloud.dc.DataCenter)1 DeployDestination (com.cloud.deploy.DeployDestination)1 ActionEvent (com.cloud.event.ActionEvent)1 ResourceUnavailableException (com.cloud.exception.ResourceUnavailableException)1 PVlanType (com.cloud.network.Network.PVlanType)1 NetworkDetailVO (com.cloud.network.dao.NetworkDetailVO)1 NetworkDomainVO (com.cloud.network.dao.NetworkDomainVO)1 NetworkVO (com.cloud.network.dao.NetworkVO)1 PhysicalNetworkVO (com.cloud.network.dao.PhysicalNetworkVO)1 NetworkOfferingVO (com.cloud.offerings.NetworkOfferingVO)1 UserVO (com.cloud.user.UserVO)1 Journal (com.cloud.utils.Journal)1 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)1 ReservationContext (com.cloud.vm.ReservationContext)1