Search in sources :

Example 6 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class ManagementServerImpl method deleteEvents.

@Override
public boolean deleteEvents(final DeleteEventsCmd cmd) {
    final Account caller = getCaller();
    final List<Long> ids = cmd.getIds();
    boolean result = true;
    List<Long> permittedAccountIds = new ArrayList<Long>();
    if (_accountMgr.isNormalUser(caller.getId()) || caller.getType() == Account.ACCOUNT_TYPE_PROJECT) {
        permittedAccountIds.add(caller.getId());
    } else {
        final DomainVO domain = _domainDao.findById(caller.getDomainId());
        final List<Long> permittedDomainIds = _domainDao.getDomainChildrenIds(domain.getPath());
        permittedAccountIds = _accountDao.getAccountIdsForDomains(permittedDomainIds);
    }
    final List<EventVO> events = _eventDao.listToArchiveOrDeleteEvents(ids, cmd.getType(), cmd.getStartDate(), cmd.getEndDate(), permittedAccountIds);
    final ControlledEntity[] sameOwnerEvents = events.toArray(new ControlledEntity[events.size()]);
    _accountMgr.checkAccess(CallContext.current().getCallingAccount(), null, false, sameOwnerEvents);
    if (ids != null && events.size() < ids.size()) {
        result = false;
        return result;
    }
    for (final EventVO event : events) {
        _eventDao.remove(event.getId());
    }
    return result;
}
Also used : Account(com.cloud.user.Account) NetworkDomainVO(com.cloud.network.dao.NetworkDomainVO) DomainVO(com.cloud.domain.DomainVO) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) ArrayList(java.util.ArrayList) EventVO(com.cloud.event.EventVO)

Example 7 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AccountManagerImpl method getKeys.

@Override
public Map<String, String> getKeys(Long userId) {
    User user = getActiveUser(userId);
    if (user == null) {
        throw new InvalidParameterValueException("Unable to find user by id");
    }
    // Extracting the Account from the userID of the requested user.
    final ControlledEntity account = getAccount(getUserAccountById(userId).getAccountId());
    checkAccess(CallContext.current().getCallingUser(), account);
    Map<String, String> keys = new HashMap<String, String>();
    keys.put("apikey", user.getApiKey());
    keys.put("secretkey", user.getSecretKey());
    return keys;
}
Also used : InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) HashMap(java.util.HashMap)

Example 8 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class UserVmManagerImpl method destroyVm.

@Override
@ActionEvent(eventType = EventTypes.EVENT_VM_DESTROY, eventDescription = "destroying Vm", async = true)
public UserVm destroyVm(DestroyVMCmd cmd) throws ResourceUnavailableException, ConcurrentOperationException {
    CallContext ctx = CallContext.current();
    long vmId = cmd.getId();
    boolean expunge = cmd.getExpunge();
    // When trying to expunge, permission is denied when the caller is not an admin and the AllowUserExpungeRecoverVm is false for the caller.
    if (expunge && !_accountMgr.isAdmin(ctx.getCallingAccount().getId()) && !AllowUserExpungeRecoverVm.valueIn(cmd.getEntityOwnerId())) {
        throw new PermissionDeniedException("Parameter " + ApiConstants.EXPUNGE + " can be passed by Admin only. Or when the allow.user.expunge.recover.vm key is set.");
    }
    // check if VM exists
    UserVmVO vm = _vmDao.findById(vmId);
    if (vm == null || vm.getRemoved() != null) {
        throw new InvalidParameterValueException("unable to find a virtual machine with id " + vmId);
    }
    if ((vm.getState() == State.Destroyed && !expunge) || vm.getState() == State.Expunging) {
        s_logger.debug("Vm id=" + vmId + " is already destroyed");
        return vm;
    }
    // check if there are active volume snapshots tasks
    s_logger.debug("Checking if there are any ongoing snapshots on the ROOT volumes associated with VM with ID " + vmId);
    if (checkStatusOfVolumeSnapshots(vmId, Volume.Type.ROOT)) {
        throw new CloudRuntimeException("There is/are unbacked up snapshot(s) on ROOT volume, vm destroy is not permitted, please try again later.");
    }
    s_logger.debug("Found no ongoing snapshots on volume of type ROOT, for the vm with id " + vmId);
    List<VolumeVO> volumesToBeDeleted = getVolumesFromIds(cmd);
    checkForUnattachedVolumes(vmId, volumesToBeDeleted);
    validateVolumes(volumesToBeDeleted);
    final ControlledEntity[] volumesToDelete = volumesToBeDeleted.toArray(new ControlledEntity[0]);
    _accountMgr.checkAccess(ctx.getCallingAccount(), null, true, volumesToDelete);
    stopVirtualMachine(vmId, VmDestroyForcestop.value());
    // Detach all data disks from VM
    List<VolumeVO> dataVols = _volsDao.findByInstanceAndType(vmId, Volume.Type.DATADISK);
    detachVolumesFromVm(dataVols);
    UserVm destroyedVm = destroyVm(vmId, expunge);
    if (expunge) {
        if (!expunge(vm, ctx.getCallingUserId(), ctx.getCallingAccount())) {
            throw new CloudRuntimeException("Failed to expunge vm " + destroyedVm);
        }
    }
    deleteVolumesFromVm(volumesToBeDeleted, expunge);
    return destroyedVm;
}
Also used : UserVm(com.cloud.uservm.UserVm) VolumeVO(com.cloud.storage.VolumeVO) InvalidParameterValueException(com.cloud.exception.InvalidParameterValueException) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) CloudRuntimeException(com.cloud.utils.exception.CloudRuntimeException) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) CallContext(org.apache.cloudstack.context.CallContext) ActionEvent(com.cloud.event.ActionEvent)

Example 9 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AnnotationManagerImpl method setResponseEntityName.

private void setResponseEntityName(AnnotationResponse response, String entityUuid, EntityType entityType) {
    String entityName = null;
    if (entityType.isUserAllowed()) {
        ControlledEntity entity = getEntityFromUuidAndType(entityUuid, entityType);
        if (entity != null) {
            LOGGER.debug(String.format("Could not find an entity with type: %s and ID: %s", entityType.name(), entityUuid));
            entityName = entity.getName();
        }
    } else {
        entityName = getInfrastructureEntityName(entityUuid, entityType);
    }
    response.setEntityName(entityName);
}
Also used : ControlledEntity(org.apache.cloudstack.acl.ControlledEntity)

Example 10 with ControlledEntity

use of org.apache.cloudstack.acl.ControlledEntity in project cloudstack by apache.

the class AccountManagerImpl method checkAccess.

@Override
public void checkAccess(Account caller, AccessType accessType, boolean sameOwner, String apiName, ControlledEntity... entities) {
    // check for the same owner
    Long ownerId = null;
    ControlledEntity prevEntity = null;
    if (sameOwner) {
        for (ControlledEntity entity : entities) {
            if (ownerId == null) {
                ownerId = entity.getAccountId();
            } else if (ownerId.longValue() != entity.getAccountId()) {
                throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts");
            }
            prevEntity = entity;
        }
    }
    if (caller.getId() == Account.ACCOUNT_ID_SYSTEM || isRootAdmin(caller.getId())) {
        // no need to make permission checks if the system/root admin makes the call
        if (s_logger.isTraceEnabled()) {
            s_logger.trace("No need to make permission check for System/RootAdmin account, returning true");
        }
        return;
    }
    HashMap<Long, List<ControlledEntity>> domains = new HashMap<Long, List<ControlledEntity>>();
    for (ControlledEntity entity : entities) {
        long domainId = entity.getDomainId();
        if (entity.getAccountId() != -1 && domainId == -1) {
            // If account exists domainId should too so calculate
            // it. This condition might be hit for templates or entities which miss domainId in their tables
            Account account = ApiDBUtils.findAccountById(entity.getAccountId());
            domainId = account != null ? account.getDomainId() : -1;
        }
        if (entity.getAccountId() != -1 && domainId != -1 && !(entity instanceof VirtualMachineTemplate) && !(entity instanceof Network && accessType != null && accessType == AccessType.UseEntry) && !(entity instanceof AffinityGroup)) {
            List<ControlledEntity> toBeChecked = domains.get(entity.getDomainId());
            // for templates, we don't have to do cross domains check
            if (toBeChecked == null) {
                toBeChecked = new ArrayList<ControlledEntity>();
                domains.put(domainId, toBeChecked);
            }
            toBeChecked.add(entity);
        }
        boolean granted = false;
        for (SecurityChecker checker : _securityCheckers) {
            if (checker.checkAccess(caller, entity, accessType, apiName)) {
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Access to " + entity + " granted to " + caller + " by " + checker.getName());
                }
                granted = true;
                break;
            }
        }
        if (!granted) {
            assert false : "How can all of the security checkers pass on checking this check: " + entity;
            throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity);
        }
    }
    for (Map.Entry<Long, List<ControlledEntity>> domain : domains.entrySet()) {
        for (SecurityChecker checker : _securityCheckers) {
            Domain d = _domainMgr.getDomain(domain.getKey());
            if (d == null || d.getRemoved() != null) {
                throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue());
            }
            try {
                checker.checkAccess(caller, d);
            } catch (PermissionDeniedException e) {
                e.addDetails(caller, domain.getValue());
                throw e;
            }
        }
    }
// check that resources belong to the same account
}
Also used : VirtualMachineTemplate(com.cloud.template.VirtualMachineTemplate) HashMap(java.util.HashMap) SecurityChecker(org.apache.cloudstack.acl.SecurityChecker) AffinityGroup(org.apache.cloudstack.affinity.AffinityGroup) ControlledEntity(org.apache.cloudstack.acl.ControlledEntity) Network(com.cloud.network.Network) PermissionDeniedException(com.cloud.exception.PermissionDeniedException) ArrayList(java.util.ArrayList) List(java.util.List) Domain(com.cloud.domain.Domain) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

ControlledEntity (org.apache.cloudstack.acl.ControlledEntity)11 ArrayList (java.util.ArrayList)5 InvalidParameterValueException (com.cloud.exception.InvalidParameterValueException)4 Account (com.cloud.user.Account)4 DomainVO (com.cloud.domain.DomainVO)3 PermissionDeniedException (com.cloud.exception.PermissionDeniedException)3 HashMap (java.util.HashMap)3 EventVO (com.cloud.event.EventVO)2 NetworkDomainVO (com.cloud.network.dao.NetworkDomainVO)2 DB (com.cloud.utils.db.DB)2 TransactionStatus (com.cloud.utils.db.TransactionStatus)2 CloudRuntimeException (com.cloud.utils.exception.CloudRuntimeException)2 List (java.util.List)2 Map (java.util.Map)2 InfrastructureEntity (org.apache.cloudstack.acl.InfrastructureEntity)2 Domain (com.cloud.domain.Domain)1 ActionEvent (com.cloud.event.ActionEvent)1 Network (com.cloud.network.Network)1 LoadBalancerVO (com.cloud.network.dao.LoadBalancerVO)1 NetworkVO (com.cloud.network.dao.NetworkVO)1