private void denyApiAccess(final String commandName) throws PermissionDeniedException { throw new PermissionDeniedException("The API " + commandName + " is blacklisted for the account's role."); }
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, " + "Zone is currently disabled"); ex.addProxyObject(zone.getUuid(), "zoneId"); throw ex;
ownerId = entity.getAccountId(); } else if (ownerId.longValue() != entity.getAccountId()) { throw new PermissionDeniedException("Entity " + entity + " and entity " + prevEntity + " belong to different accounts"); throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + entity); Domain d = _domainMgr.getDomain(domain.getKey()); if (d == null || d.getRemoved() != null) { throw new PermissionDeniedException("Domain is not found.", caller, domain.getValue()); e.addDetails(caller, domain.getValue()); throw e;
throw new ServerApiException(ApiErrorCode.PARAM_ERROR, ex.getMessage(), ex); } catch (final PermissionDeniedException ex) { final ArrayList<ExceptionProxyObject> idList = ex.getIdProxyList(); if (idList != null) { final StringBuffer buf = new StringBuffer(); buf.append(" "); s_logger.info("PermissionDenied: " + ex.getMessage() + " on objs: [" + buf.toString() + "]"); } else { s_logger.info("PermissionDenied: " + ex.getMessage()); throw new ServerApiException(ApiErrorCode.ACCOUNT_ERROR, ex.getMessage(), ex); } catch (final AccountLimitException ex) { s_logger.info(ex.getMessage());
@Override public void checkAccess(User user, ControlledEntity entity) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(user, entity)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + user + "to " + entity + "by " + checker.getName()); } return; } } throw new PermissionDeniedException("There's no way to confirm " + user + " has access to " + entity); }
@Override public long getEntityOwnerId() { Volume volume = _entityMgr.findById(Volume.class, getVolumeId()); if (volume == null) { throw new InvalidParameterValueException("Unable to find volume by id=" + volumeId); } Account account = _accountService.getAccount(volume.getAccountId()); //Can create templates for enabled projects/accounts only if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { Project project = _projectService.findByProjectAccountId(volume.getAccountId()); if (project.getState() != Project.State.Active) { PermissionDeniedException ex = new PermissionDeniedException("Can't add resources to the specified project id in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex; } } else if (account.getState() == Account.State.disabled) { throw new PermissionDeniedException("The owner of template is disabled: " + account); } return volume.getAccountId(); }
@Override public void checkAccess(Account caller, Domain domain) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(caller, domain)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to " + domain + " by " + checker.getName()); } return; } } throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to " + domain); }
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex;
@Override public void checkAccess(Account account, DiskOffering dof) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, dof)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + account + " to " + dof + " by " + checker.getName()); } return; } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + account + " has access to " + dof); }
return account.getId(); } else { throw new PermissionDeniedException("Can't add resources to the account id=" + account.getId() + " in state=" + account.getState() + " as it's no longer active"); return project.getProjectAccountId(); } else { final PermissionDeniedException ex = new PermissionDeniedException( "Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex;
@Override public void checkAccess(Account account, ServiceOffering so) throws PermissionDeniedException { for (SecurityChecker checker : _securityCheckers) { if (checker.checkAccess(account, so)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + account + " to " + so + " by " + checker.getName()); } return; } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + account + " has access to " + so); }
PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex;
private void checkCallerAccess() { if (!isEnabled()) { throw new PermissionDeniedException("Dynamic api checker is not enabled, aborting role operation"); } Account caller = getCurrentAccount(); if (caller == null || caller.getRoleId() == null) { throw new PermissionDeniedException("Restricted API called by an invalid user account"); } Role callerRole = findRole(caller.getRoleId()); if (callerRole == null || callerRole.getRoleType() != RoleType.Admin) { throw new PermissionDeniedException("Restricted API called by an user account of non-Admin role type"); } }
final PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex;
@Override public void checkDiskOfferingAccess(final Account caller, final DiskOffering dof) { for (final SecurityChecker checker : _secChecker) { if (checker.checkAccess(caller, dof)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to disk offering:" + dof.getId() + " by " + checker.getName()); } return; } else { throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName()); } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to disk offering:" + dof.getId()); }
final PermissionDeniedException ex = new PermissionDeniedException("Cannot perform this operation, Zone with specified id is currently disabled"); ex.addProxyObject(zone.getUuid(), "dcId"); throw ex;
@Override public void checkZoneAccess(final Account caller, final DataCenter zone) { for (final SecurityChecker checker : _secChecker) { if (checker.checkAccess(caller, zone)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Access granted to " + caller + " to zone:" + zone.getId() + " by " + checker.getName()); } return; } else { throw new PermissionDeniedException("Access denied to " + caller + " by " + checker.getName() + " for zone " + zone.getId()); } } assert false : "How can all of the security checkers pass on checking this caller?"; throw new PermissionDeniedException("There's no way to confirm " + caller + " has access to zone:" + zone.getId()); }
throw new PermissionDeniedException("Extraction has been disabled by admin"); PermissionDeniedException ex = new PermissionDeniedException("Invalid state of the volume with specified ID. It should be either detached or the VM should be in stopped state."); ex.addProxyObject(volume.getUuid(), "volumeId"); throw ex; if (!isExtractable && account != null && !_accountMgr.isRootAdmin(account.getId())) { PermissionDeniedException ex = new PermissionDeniedException("The volume with specified volumeId is not allowed to be extracted"); ex.addProxyObject(volume.getUuid(), "volumeId"); throw ex;
private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException { if (user == null) { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } final Account account = accountMgr.getAccount(user.getAccountId()); final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s",""); final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (apiSourceCidrChecksEnabled) { s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs); if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) { s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs); throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress()); } } for (final APIChecker apiChecker : apiAccessCheckers) { apiChecker.checkAccess(user, commandName); } }
} else { final PermissionDeniedException ex = new PermissionDeniedException("Can't add resources to the project with specified projectId in state=" + project.getState() + " as it's no longer active"); ex.addProxyObject(project.getUuid(), "projectId"); throw ex;