protected void setupAccountOwner() { if (networkModel.isNetworkSystem(guestNetwork) || guestNetwork.getGuestType() == Network.GuestType.Shared) { owner = accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM); } }
@Override public Account getProjectOwner(long projectId) { ProjectAccount prAcct = _projectAccountDao.getProjectOwner(projectId); if (prAcct != null) { return _accountMgr.getAccount(prAcct.getAccountId()); } return null; }
@Override public Account getVlanAccount(final long vlanId) { final Vlan vlan = _vlanDao.findById(vlanId); // if vlan is Virtual Account specific, get vlan information from the // accountVlanMap; otherwise get account information // from the network if (vlan.getVlanType() == VlanType.VirtualNetwork) { final List<AccountVlanMapVO> maps = _accountVlanMapDao.listAccountVlanMapsByVlan(vlanId); if (maps != null && !maps.isEmpty()) { return _accountMgr.getAccount(maps.get(0).getAccountId()); } } return null; }
@Override public TemplateProfile prepare(GetUploadParamsForTemplateCmd cmd) throws ResourceAllocationException { TemplateProfile profile = super.prepare(cmd); // Check that the resource limit for secondary storage won't be exceeded _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()), ResourceType.secondary_storage); return profile; }
private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException { if (user == null) { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } final Account account = accountMgr.getAccount(user.getAccountId()); final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s",""); final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (apiSourceCidrChecksEnabled) { s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs); if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) { s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs); throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress()); } } for (final APIChecker apiChecker : apiAccessCheckers) { apiChecker.checkAccess(user, commandName); } }
@Override public boolean implementVpc(final Vpc vpc, final DeployDestination dest, final ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException, InsufficientCapacityException { final Map<VirtualMachineProfile.Param, Object> params = new HashMap<VirtualMachineProfile.Param, Object>(1); params.put(VirtualMachineProfile.Param.ReProgramGuestNetworks, true); if (vpc.isRollingRestart()) { params.put(VirtualMachineProfile.Param.RollingRestart, true); } final RouterDeploymentDefinition routerDeploymentDefinition = routerDeploymentDefinitionBuilder.create().setVpc(vpc).setDeployDestination(dest) .setAccountOwner(_accountMgr.getAccount(vpc.getAccountId())).setParams(params).build(); routerDeploymentDefinition.deployVirtualRouter(); return true; }
@Override public void doInTransactionWithoutResult(final TransactionStatus status) { for (DomainVlanMapVO map : maps) { if (!releasePublicIpRange(map.getVlanDbId(), _accountMgr.getSystemUser().getId(), _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM))) { throw new CloudRuntimeException("Failed to release domain specific virtual ip ranges for domain id=" + domainId); } } } });
@Override public void doInTransactionWithoutResult(final TransactionStatus status) { for (final AccountVlanMapVO map : maps) { if (!releasePublicIpRange(map.getVlanDbId(), _accountMgr.getSystemUser().getId(), _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM))) { throw new CloudRuntimeException("Failed to release account specific virtual ip ranges for account id=" + accountId); } } } });
public boolean verifyUser(Long userId) { // copy from ApiServer.java, a bit ugly here User user = _accountMgr.getUserIncludingRemoved(userId); Account account = null; if (user != null) { account = _accountMgr.getAccount(user.getAccountId()); } if ((user == null) || (user.getRemoved() != null) || !user.getState().equals(Account.State.enabled) || (account == null) || !account.getState().equals(Account.State.enabled)) { s_logger.warn("Deleted/Disabled/Locked user with id=" + userId + " attempting to access public API"); return false; } return true; }
@Override public boolean verifyUser(final Long userId) { final User user = accountMgr.getUserIncludingRemoved(userId); Account account = null; if (user != null) { account = accountMgr.getAccount(user.getAccountId()); } if ((user == null) || (user.getRemoved() != null) || !user.getState().equals(Account.State.enabled) || (account == null) || !account.getState().equals(Account.State.enabled)) { s_logger.warn("Deleted/Disabled/Locked user with id=" + userId + " attempting to access public API"); return false; } return true; }
@Override public boolean destroy(final Network config, final ReservationContext context) throws ConcurrentOperationException, ResourceUnavailableException { final List<DomainRouterVO> routers = _routerDao.listByNetworkAndRole(config.getId(), Role.VIRTUAL_ROUTER); if (routers == null || routers.isEmpty()) { return true; } boolean result = true; // NOTE that we need to pass caller account to destroyRouter, otherwise // it will fail permission check there. Context passed in from // deleteNetwork is the network account, // not caller account final Account callerAccount = _accountMgr.getAccount(context.getCaller().getAccountId()); for (final DomainRouterVO router : routers) { result = result && _routerMgr.destroyRouter(router.getId(), callerAccount, context.getCaller().getId()) != null; } return result; }
private void checkResourceAccessible(Long accountId, Long domainId, String exceptionMessage) { Account caller = CallContext.current().getCallingAccount(); if (Objects.equals(domainId, -1)) { throw new CloudRuntimeException("Invalid DomainId: -1"); } if (accountId != null) { _accountMgr.checkAccess(caller, null, false, _accountMgr.getAccount(accountId)); } else if (domainId != null && !_accountMgr.isNormalUser(caller.getId())) { //check permissions; _accountMgr.checkAccess(caller, _domainMgr.getDomain(domainId)); } else { throw new PermissionDeniedException(exceptionMessage); } }
@Override @DB @ActionEvent(eventType = EventTypes.EVENT_PROJECT_INVITATION_REMOVE, eventDescription = "removing project invitation", async = true) public boolean deleteProjectInvitation(long id) { Account caller = CallContext.current().getCallingAccount(); ProjectInvitation invitation = _projectInvitationDao.findById(id); if (invitation == null) { throw new InvalidParameterValueException("Unable to find project invitation by id " + id); } //check that the project exists Project project = getProject(invitation.getProjectId()); //check permissions - only project owner can remove the invitations _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); if (_projectInvitationDao.remove(id)) { s_logger.debug("Project Invitation id=" + id + " is removed"); return true; } else { s_logger.debug("Failed to remove project invitation id=" + id); return false; } }
@Override public boolean canAccessProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canAccessProjectAccount(caller.getId(), accountId); }
@Override public boolean canModifyProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canModifyProjectAccount(caller.getId(), accountId); }
@Override @ActionEvent(eventType = EventTypes.EVENT_PROJECT_DELETE, eventDescription = "deleting project", async = true) public boolean deleteProject(long projectId) { CallContext ctx = CallContext.current(); ProjectVO project = getProject(projectId); //verify input parameters if (project == null) { throw new InvalidParameterValueException("Unable to find project by id " + projectId); } _accountMgr.checkAccess(ctx.getCallingAccount(), AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); return deleteProject(ctx.getCallingAccount(), ctx.getCallingUserId(), project); }
@Override @ActionEvent(eventType = EventTypes.EVENT_PROJECT_CREATE, eventDescription = "creating project", async = true) @DB public Project enableProject(long projectId) { Account caller = CallContext.current().getCallingAccount(); ProjectVO project = getProject(projectId); //verify input parameters if (project == null) { throw new InvalidParameterValueException("Unable to find project by id " + projectId); } _accountMgr.checkAccess(caller, AccessType.ModifyProject, true, _accountMgr.getAccount(project.getProjectAccountId())); //at this point enabling project doesn't require anything, so just update the state project.setState(State.Active); _projectDao.update(projectId, project); return project; }
@Override public TemplateProfile prepare(RegisterIsoCmd cmd) throws ResourceAllocationException { //check if the caller can operate with the template owner Account caller = CallContext.current().getCallingAccount(); Account owner = _accountMgr.getAccount(cmd.getEntityOwnerId()); _accountMgr.checkAccess(caller, null, true, owner); List<Long> zoneList = null; Long zoneId = cmd.getZoneId(); // ignore passed zoneId if we are using region wide image store List<ImageStoreVO> stores = _imgStoreDao.findRegionImageStores(); if (CollectionUtils.isEmpty(stores) && zoneId != null && zoneId > 0L) { zoneList = new ArrayList<>(); zoneList.add(zoneId); } return prepare(true, CallContext.current().getCallingUserId(), cmd.getIsoName(), cmd.getDisplayText(), 64, cmd.isPasswordEnabled(), true, cmd.getUrl(), cmd.isPublic(), cmd.isFeatured(), cmd.isExtractable(), ImageFormat.ISO.toString(), cmd.getOsTypeId(), zoneList, HypervisorType.None, cmd.getChecksum(), cmd.isBootable(), null, owner, null, false, cmd.getImageStoreUuid(), cmd.isDynamicallyScalable(), TemplateType.USER, cmd.isDirectDownload()); }
@Override public TemplateProfile prepare(RegisterIsoCmd cmd) throws ResourceAllocationException { TemplateProfile profile = super.prepare(cmd); String url = profile.getUrl(); UriUtils.validateUrl(ImageFormat.ISO.getFileExtension(), url); if (cmd.isDirectDownload()) { DigestHelper.validateChecksumString(cmd.getChecksum()); Long templateSize = performDirectDownloadUrlValidation(url); profile.setSize(templateSize); } profile.setUrl(url); // Check that the resource limit for secondary storage won't be exceeded _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()), ResourceType.secondary_storage, UriUtils.getRemoteSize(url)); return profile; }
@Override public TemplateProfile prepare(RegisterTemplateCmd cmd) throws ResourceAllocationException { TemplateProfile profile = super.prepare(cmd); String url = profile.getUrl(); UriUtils.validateUrl(cmd.getFormat(), url); if (cmd.isDirectDownload()) { DigestHelper.validateChecksumString(cmd.getChecksum()); Long templateSize = performDirectDownloadUrlValidation(url); profile.setSize(templateSize); } profile.setUrl(url); // Check that the resource limit for secondary storage won't be exceeded _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(cmd.getEntityOwnerId()), ResourceType.secondary_storage, UriUtils.getRemoteSize(url)); return profile; }