private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException { if (user == null) { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } final Account account = accountMgr.getAccount(user.getAccountId()); final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s",""); final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (apiSourceCidrChecksEnabled) { s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs); if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) { s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs); throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress()); } } for (final APIChecker apiChecker : apiAccessCheckers) { apiChecker.checkAccess(user, commandName); } }
s_logger.debug("Console/thumbnail access denied. VM " + vmId + " does not exist in system any more"); return false; if (_accountMgr.isRootAdmin(accountObj.getId())) return true; case User: try { _accountMgr.checkAccess(accountObj, null, true, vm); } catch (PermissionDeniedException ex) { if (_accountMgr.isNormalUser(accountObj.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " + accountObj.getId() + " and caller is a normal user"); } else if (_accountMgr.isDomainAdmin(accountObj.getId()) || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) { if(s_logger.isDebugEnabled()) {
@Override public boolean revokePortForwardingRulesForVm(long vmId) { boolean success = true; UserVmVO vm = _vmDao.findByIdIncludingRemoved(vmId); if (vm == null) { return false; } List<PortForwardingRuleVO> rules = _portForwardingDao.listByVm(vmId); Set<Long> ipsToReprogram = new HashSet<Long>(); if (rules == null || rules.isEmpty()) { s_logger.debug("No port forwarding rules are found for vm id=" + vmId); return true; } for (PortForwardingRuleVO rule : rules) { // Mark port forwarding rule as Revoked, but don't revoke it yet (apply=false) revokePortForwardingRuleInternal(rule.getId(), _accountMgr.getSystemAccount(), Account.ACCOUNT_ID_SYSTEM, false); ipsToReprogram.add(rule.getSourceIpAddressId()); } // apply rules for all ip addresses for (Long ipId : ipsToReprogram) { s_logger.debug("Applying port forwarding rules for ip address id=" + ipId + " as a part of vm expunge"); if (!applyPortForwardingRules(ipId, _ipAddrMgr.RulesContinueOnError.value(), _accountMgr.getSystemAccount())) { s_logger.warn("Failed to apply port forwarding rules for ip id=" + ipId); success = false; } } return success; }
@Override public boolean canModifyProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canModifyProjectAccount(caller.getId(), accountId); }
private void checkResourceAccessible(Long accountId, Long domainId, String exceptionMessage) { Account caller = CallContext.current().getCallingAccount(); if (Objects.equals(domainId, -1)) { throw new CloudRuntimeException("Invalid DomainId: -1"); } if (accountId != null) { _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId)); } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) { //check permissions; _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId)); } else { throw new PermissionDeniedException(exceptionMessage); } }
@Override public void doInTransactionWithoutResult(final TransactionStatus status) { for (DomainVlanMapVO map : maps) { if (!releasePublicIpRange(map.getVlanDbId(), _accountMgr.getSystemUser().getId(), _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM))) { throw new CloudRuntimeException("Failed to release domain specific virtual ip ranges for domain id=" + domainId); } } } });
answer = (DestroyLoadBalancerApplianceAnswer)_agentMgr.easySend(lbDevice.getParentHostId(), lbDeleteCmd); if (answer == null || !answer.getResult()) { s_logger.warn("Failed to destoy load balancer appliance used by the network" + guestConfig.getId() + " due to " + answer == null ? "communication error with agent" : answer.getDetails()); s_logger.warn("Failed to destroy load balancer appliance used by the network" + guestConfig.getId() + " due to " + e.getMessage()); if (s_logger.isDebugEnabled()) { s_logger.debug("Successfully destroyed load balancer appliance used for the network" + guestConfig.getId()); _ipAddrMgr.disassociatePublicIpAddress(ipVo.getId(), _accountMgr.getSystemUser().getId(), _accountMgr.getSystemAccount()); } else { deviceMapLock.unlock();
String jobEvent = eventInfo.second(); if (s_logger.isTraceEnabled()) s_logger.trace("Handle asyjob publish event " + jobEvent); User userJobOwner = accountMgr.getUserIncludingRemoved(job.getUserId()); Account jobOwner = accountMgr.getAccount(userJobOwner.getAccountId()); cmdEventType = eventTypeObj; if (s_logger.isDebugEnabled()) s_logger.debug("Retrieved cmdEventType from job info: " + cmdEventType); } else { eventDescription.put("command", job.getCmd()); eventDescription.put("user", userJobOwner.getUuid()); eventDescription.put("account", jobOwner.getUuid()); eventDescription.put("processStatus", "" + job.getProcessStatus()); eventDescription.put("resultCode", "" + job.getResultCode()); DomainVO domain = domainDao.findById(jobOwner.getDomainId()); eventDescription.put("username", userJobOwner.getUsername()); eventDescription.put("accountname", jobOwner.getAccountName()); eventDescription.put("domainname", domain.getName());
if (s_logger.isDebugEnabled()) { s_logger.debug("AddQuotaCredits: Depositing " + amount + " on adjusted date " + despositedOn + ", current balance " + currentAccountBalance); if (currentAccountBalance.compareTo(new BigDecimal(0)) >= 0) { if (account.getState() == Account.State.locked) { s_logger.info("UnLocking account " + account.getAccountName() + " , due to positive balance " + currentAccountBalance); _accountMgr.enableAccount(account.getAccountName(), domainId, accountId); s_logger.info("Locking account " + account.getAccountName() + " , due to negative balance " + currentAccountBalance); _accountMgr.lockAccount(account.getAccountName(), domainId, accountId);
@Override public VirtualRouter destroyRouter(final long routerId, final Account caller, final Long callerUserId) throws ResourceUnavailableException, ConcurrentOperationException { if (s_logger.isDebugEnabled()) { s_logger.debug("Attempting to destroy router " + routerId); } final DomainRouterVO router = _routerDao.findById(routerId); if (router == null) { return null; } _accountMgr.checkAccess(caller, null, true, router); _itMgr.expunge(router.getUuid()); _routerDao.remove(router.getId()); return router; }
paramList = URLEncodedUtils.parse(new URI(request.getRequestLine().getUri()), HttpUtils.UTF_8); } catch (final URISyntaxException e) { s_logger.error("Error parsing url request", e); CallContext.register(accountMgr.getSystemUser(), accountMgr.getSystemAccount()); sb.insert(0, "(userId=" + User.UID_SYSTEM + " accountId=" + Account.ACCOUNT_ID_SYSTEM + " sessionId=" + null + ") "); final String responseText = handleRequest(parameterMap, responseType, sb); } catch (final RuntimeException e) { s_logger.error("Unhandled exception, ", e); throw e; s_accessLogger.info(sb.toString()); CallContext.unregister();
s_logger.info("Router configurations: " + "ramsize=" + _routerRamSize); s_logger.error(msg); throw new ConfigurationException(msg); NetworkHelperImpl.setSystemAccount(_accountMgr.getSystemAccount()); s_logger.info("DomainRouterManager is configured.");
protected boolean applyPortForwardingRules(long ipId, boolean continueOnError, Account caller) { List<PortForwardingRuleVO> rules = _portForwardingDao.listForApplication(ipId); if (rules.size() == 0) { s_logger.debug("There are no port forwarding rules to apply for ip id=" + ipId); return true; } if (caller != null) { _accountMgr.checkAccess(caller, null, true, rules.toArray(new PortForwardingRuleVO[rules.size()])); } try { if (!_firewallMgr.applyRules(rules, continueOnError, true)) { return false; } } catch (ResourceUnavailableException ex) { s_logger.warn("Failed to apply port forwarding rules for ip due to ", ex); return false; } return true; }
if (accountName != null) { Account caller = CallContext.current().getCallingAccount(); Account owner = _accountMgr.finalizeOwner(caller, accountName, domainId, null); accountId = owner.getId(); s_logger.error("Cluster " + cluster.getName() + " is already dedicated"); throw new CloudRuntimeException("Cluster " + cluster.getName() + " is already dedicated"); s_logger.error("Cannot dedicate Cluster. Its Pod is already dedicated"); HostPodVO pod = _podDao.findById(cluster.getPodId()); throw new CloudRuntimeException("Cluster's Pod " + pod.getName() + " is already dedicated"); s_logger.error("Cannot dedicate Cluster. Its zone is already dedicated"); DataCenterVO zone = _zoneDao.findById(cluster.getDataCenterId()); throw new CloudRuntimeException("Cluster's Zone " + zone.getName() + " is already dedicated");
retry = false; s_logger.warn("There are no load balancer device with the capacity for implementing this network"); throw exception; } else { createLbAnswer = (CreateLoadBalancerApplianceAnswer)_agentMgr.easySend(lbProviderDevice.getHostId(), lbProvisionCmd); if (createLbAnswer == null || !createLbAnswer.getResult()) { s_logger.error("Could not provision load balancer instance on the load balancer device " + lbProviderDevice.getId()); continue; s_logger.error("Could not provision load balancer instance on the load balancer device " + lbProviderDevice.getId() + " due to " + agentException.getMessage()); continue; _ipAddrMgr.assignPublicIpAddress(guestConfig.getDataCenterId(), null, _accountMgr.getSystemAccount(), VlanType.VirtualNetwork, null, null, false, false); String publicIPNetmask = publicIp.getVlanNetmask(); _ipAddrMgr.disassociatePublicIpAddress(publicIp.getId(), _accountMgr.getSystemUser().getId(), _accountMgr.getSystemAccount());
s_logger.debug("Applying " + rulesToApply.size() + " on element " + getName()); s_logger.debug(String.format("Destroying internal lb vm for ip %s as all the rules for this vm are in Revoke state", sourceIp.addr())); return _internalLbMgr.destroyInternalLbVm(vms.get(0).getId(), _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM), _accountMgr.getUserIncludingRemoved(User.UID_SYSTEM).getId()); } catch (ConcurrentOperationException e) { s_logger.warn(String.format("Failed to apply lb rule(s) for ip %s on the element %s due to: ", sourceIp.addr(), getName()), e); return false; try { DeployDestination dest = new DeployDestination(_entityMgr.findById(DataCenter.class, network.getDataCenterId()), null, null, null); internalLbVms = _internalLbMgr.deployInternalLbVm(network, sourceIp, dest, _accountMgr.getAccount(network.getAccountId()), null); } catch (InsufficientCapacityException e) { s_logger.warn(String.format("Failed to apply lb rule(s) for ip %s on the element %s due to: ", sourceIp.addr(), getName()), e);
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); if (s_logger.isDebugEnabled()) { s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId()); _accountMgr.checkAccess(caller, null, false, ipOwner);
if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot create the affinity group"); verifyAccessToDomainWideProcessor(caller, processor); DomainVO domain = getDomain(domainId); _accountMgr.checkAccess(caller, domain); owner = _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM); aclType = ControlledEntity.ACLType.Domain; domainLevel = true; } else { owner = _accountMgr.finalizeOwner(caller, accountName, domainId, projectId); aclType = ControlledEntity.ACLType.Account; verifyAffinityGroupNameInUse(owner.getAccountId(), owner.getDomainId(), affinityGroupName); verifyDomainLevelAffinityGroupName(domainLevel, owner.getDomainId(), affinityGroupName); if (s_logger.isDebugEnabled()) { s_logger.debug("Created affinity group =" + affinityGroupName);
try { final long id = _routerDao.getNextInSequence(Long.class, "id"); if (s_logger.isDebugEnabled()) { s_logger.debug(String.format("Allocating the VR with id=%s in datacenter %s with the hypervisor type %s", id, routerDeploymentDefinition.getDest() .getDataCenter(), hType)); s_logger.debug(hType + " won't support system vm, skip it"); continue; if (CallContext.current().getCallingAccount().getId() != owner.getId()) { final List<UserVO> userVOs = _userDao.listByAccount(owner.getAccountId()); if (!userVOs.isEmpty()) { userId = userVOs.get(0).getId(); router = startVirtualRouter(router, _accountMgr.getSystemUser(), _accountMgr.getSystemAccount(), routerDeploymentDefinition.getParams()); break; } catch (final InsufficientCapacityException ex) { s_logger.debug("Failed to start the VR " + router + " with hypervisor type " + hType + ", " + "destroying it and recreating one more time"); destroyRouter(router.getId(), _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM), User.UID_SYSTEM); continue; } else {
try { final long id = _internalLbVmDao.getNextInSequence(Long.class, "id"); if (s_logger.isDebugEnabled()) { s_logger.debug("Creating the internal lb vm " + id + " in datacenter " + dest.getDataCenter() + " with hypervisor type " + hType); s_logger.debug(hType + " won't support system vm, skip it"); continue; if (CallContext.current().getCallingAccount().getId() != owner.getId()) { List<UserVO> userVOs = _userDao.listByAccount(owner.getAccountId()); if (!userVOs.isEmpty()) { userId = userVOs.get(0).getId(); internalLbVm = startInternalLbVm(internalLbVm, _accountMgr.getSystemAccount(), User.UID_SYSTEM, params); break; } catch (final InsufficientCapacityException ex) { "destroying it and recreating one more time"); destroyInternalLbVm(internalLbVm.getId(), _accountMgr.getSystemAccount(), User.UID_SYSTEM); continue; } else {