Examples with PermissionSubject org.ovirt.engine.core.bll.utils.PermissionSubject used on opensource projects

Example 1 with PermissionSubject

use of org.ovirt.engine.core.bll.utils.PermissionSubject in project ovirt-engine by oVirt.

the class AddVmCommand method checkCreateInstancePermission.

/**
 * To create a vm either {@link ActionGroup#CREATE_VM} or {@link ActionGroup#CREATE_INSTANCE} permissions is
 * required for selected {@link VdcObjectType}s. However {@link #getPermissionCheckSubjects()} returns only
 * {@link ActionGroup#CREATE_VM} based permissions subjects. This method helps to mitigate this problem.
 * @param permSubject permission subject
 * @return true if {@link ActionGroup#CREATE_INSTANCE} based permission is sufficient, false otherwise
 */
private boolean checkCreateInstancePermission(PermissionSubject permSubject) {
    final List<VdcObjectType> overriddenPermissionObjectTypes = Arrays.asList(VdcObjectType.Cluster, VdcObjectType.VmTemplate);
    final boolean instanceCreateObjectType = overriddenPermissionObjectTypes.contains(permSubject.getObjectType());
    if (!instanceCreateObjectType) {
        return false;
    }
    final PermissionSubject alteredPermissionSubject = new PermissionSubject(permSubject.getObjectId(), permSubject.getObjectType(), ActionGroup.CREATE_INSTANCE, permSubject.getMessage());
    return checkSinglePermission(alteredPermissionSubject, getReturnValue().getValidationMessages());
}

Example 2 with PermissionSubject

use of org.ovirt.engine.core.bll.utils.PermissionSubject in project ovirt-engine by oVirt.

the class AddVmCommand method addPermissionSubjectForAdminLevelProperties.

protected void addPermissionSubjectForAdminLevelProperties(List<PermissionSubject> permissionList) {
    VmStatic vmFromParams = getParameters().getVmStaticData();
    VmTemplate vmTemplate = getVmTemplate();
    if (vmFromParams != null && vmTemplate != null) {
        // user needs specific permission to change custom properties
        if (!Objects.equals(vmFromParams.getCustomProperties(), vmTemplate.getCustomProperties())) {
            permissionList.add(new PermissionSubject(getClusterId(), VdcObjectType.Cluster, ActionGroup.CHANGE_VM_CUSTOM_PROPERTIES));
        }
        // if the template is blank we ignore his pinned hosts
        if (vmTemplate.isBlank()) {
            return;
        }
        Set<Guid> dedicatedVmForVdsFromUser = new HashSet<>(vmFromParams.getDedicatedVmForVdsList());
        Set<Guid> dedicatedVmForVdsFromTemplate = new HashSet<>(vmTemplate.getDedicatedVmForVdsList());
        // host-specific parameters can be changed by administration role only
        if (!dedicatedVmForVdsFromUser.equals(dedicatedVmForVdsFromTemplate) || !StringUtils.isEmpty(vmFromParams.getCpuPinning())) {
            permissionList.add(new PermissionSubject(getClusterId(), VdcObjectType.Cluster, ActionGroup.EDIT_ADMIN_VM_PROPERTIES));
        }
    }
}

Example 3 with PermissionSubject

use of org.ovirt.engine.core.bll.utils.PermissionSubject in project ovirt-engine by oVirt.

the class AddVmCommand method getPermissionCheckSubjects.

@Override
public List<PermissionSubject> getPermissionCheckSubjects() {
    List<PermissionSubject> permissionList = new ArrayList<>();
    permissionList.add(new PermissionSubject(getClusterId(), VdcObjectType.Cluster, getActionType().getActionGroup()));
    permissionList.add(new PermissionSubject(getVmTemplateId(), VdcObjectType.VmTemplate, getActionType().getActionGroup()));
    if (getVmTemplate() != null && !getVmTemplate().getDiskList().isEmpty()) {
        permissionList.addAll(getParameters().getDiskInfoDestinationMap().values().stream().filter(disk -> disk.getStorageIds() != null && !disk.getStorageIds().isEmpty()).map(disk -> new PermissionSubject(disk.getStorageIds().get(0), VdcObjectType.Storage, ActionGroup.CREATE_DISK)).collect(Collectors.toList()));
    }
    addPermissionSubjectForAdminLevelProperties(permissionList);
    return permissionList;
}

Example 4 with PermissionSubject

use of org.ovirt.engine.core.bll.utils.PermissionSubject in project ovirt-engine by oVirt.

the class AddVmCommand method checkInstanceTypeImagePermissions.

/**
 * If using an instance type/image the user needs to have either CREATE_INSTANCE or the specific
 * getActionType().getActionGroup() on the instance type/image
 */
private boolean checkInstanceTypeImagePermissions(Guid id) {
    Collection<String> createInstanceMessages = new ArrayList<>();
    Collection<String> actionGroupMessages = new ArrayList<>();
    PermissionSubject createInstanceSubject = new PermissionSubject(id, VdcObjectType.VmTemplate, ActionGroup.CREATE_INSTANCE);
    PermissionSubject actionGroupSubject = new PermissionSubject(id, VdcObjectType.VmTemplate, getActionType().getActionGroup());
    // it is enough if at least one of this two permissions are there
    if (!checkSinglePermission(createInstanceSubject, createInstanceMessages) && !checkSinglePermission(actionGroupSubject, actionGroupMessages)) {
        getReturnValue().getValidationMessages().addAll(actionGroupMessages);
        return false;
    }
    return true;
}

Example 5 with PermissionSubject

use of org.ovirt.engine.core.bll.utils.PermissionSubject in project ovirt-engine by oVirt.

the class AddVmFromSnapshotCommand method getPermissionCheckSubjects.

@Override
public List<PermissionSubject> getPermissionCheckSubjects() {
    List<PermissionSubject> permissionList = super.getPermissionCheckSubjects();
    permissionList.add(new PermissionSubject(getVmIdFromSnapshot(), VdcObjectType.VM, getActionType().getActionGroup()));
    return permissionList;
}