if (_accountMgr.isRootAdmin(accountId)) { return max;
@Override public Role findRole(Long id) { if (id == null || id < 1L) { logger.trace(String.format("Role ID is invalid [%s]", id)); return null; } RoleVO role = roleDao.findById(id); if (role == null) { logger.trace(String.format("Role not found [id=%s]", id)); return null; } Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId()) && RoleType.Admin == role.getRoleType()) { logger.debug(String.format("Role [id=%s, name=%s] is of 'Admin' type and is only visible to 'Root admins'.", id, role.getName())); return null; } return role; }
private boolean isRootAdmin(VirtualMachineProfile vmProfile) { if (vmProfile != null) { if (vmProfile.getOwner() != null) { return _accountMgr.isRootAdmin(vmProfile.getOwner().getId()); } else { return false; } } return false; }
/** * Removes roles of the given list that have the type '{@link RoleType#Admin}' if the user calling the method is not a 'root admin'. * The actual removal is executed via {@link #removeRootAdminRoles(List)}. Therefore, if the method is called by a 'root admin', we do nothing here. */ protected void removeRootAdminRolesIfNeeded(List<? extends Role> roles) { Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId())) { removeRootAdminRoles(roles); } }
private boolean isRootAdmin(VirtualMachineProfile vmProfile) { if (vmProfile != null) { if (vmProfile.getOwner() != null) { return accountMgr.isRootAdmin(vmProfile.getOwner().getId()); } else { return false; } } return false; }
@Override public List<Role> findRolesByType(RoleType roleType) { if (roleType == null || RoleType.Admin == roleType && !accountManager.isRootAdmin(getCurrentAccount().getId())) { return Collections.emptyList(); } List<? extends Role> roles = roleDao.findAllByRoleType(roleType); return ListUtils.toListOfInterface(roles); }
@Override public Class<?> getCmdClass(String cmdName) { List<Class<?>> cmdList = s_apiNameCmdClassMap.get(cmdName); if (cmdList == null || cmdList.size() == 0) return null; else if (cmdList.size() == 1) return cmdList.get(0); else { // determine the cmd class based on calling context ResponseView view = ResponseView.Restricted; if (CallContext.current() != null && accountMgr.isRootAdmin(CallContext.current().getCallingAccount().getId())) { view = ResponseView.Full; } for (Class<?> cmdClass : cmdList) { APICommand at = cmdClass.getAnnotation(APICommand.class); if (at == null) { throw new CloudRuntimeException(String.format("%s is claimed as a API command, but it doesn't have @APICommand annotation", cmdClass.getName())); } if (at.responseView() == null) { throw new CloudRuntimeException(String.format( "%s @APICommand annotation should specify responseView attribute to distinguish multiple command classes for a single api name", cmdClass.getName())); } else if (at.responseView() == view) { return cmdClass; } } return null; } }
if (_accountMgr.isRootAdmin(account.getId())) { return max;
private void verifyAccessToDomainWideProcessor(Account caller, AffinityGroupProcessor processor) { if (!_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Unable to create affinity group, account name must be passed with the domainId"); } if (!processor.canBeSharedDomainWide()) { throw new InvalidParameterValueException("Unable to create affinity group, account name is needed. Affinity group type "+ processor.getType() +" cannot be shared domain wide"); } }
@Override public <T> void checkUuid(String uuid, Class<T> entityType) { if (uuid == null) { return; } Account caller = CallContext.current().getCallingAccount(); // Only admin and system allowed to do this if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) { throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id"); } checkUuidSimple(uuid, entityType); }
if (_accountMgr.isRootAdmin(accountObj.getId())) return true;
if (accountMgr.isRootAdmin(account.getId())) { jobs = asyncMgr.findInstancePendingAsyncJobs(command.getInstanceType().toString(), null); } else {
@Override @DB public void checkResourceLimit(final Account account, final ResourceType type, long... count) throws ResourceAllocationException { final long numResources = ((count.length == 0) ? 1 : count[0]); Project project = null; // Don't place any limits on system or root admin accounts if (_accountMgr.isRootAdmin(account.getId())) { return; } if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { project = _projectDao.findByProjectAccountId(account.getId()); } final Project projectFinal = project; Transaction.execute(new TransactionCallbackWithExceptionNoReturn<ResourceAllocationException>() { @Override public void doInTransactionWithoutResult(TransactionStatus status) throws ResourceAllocationException { // Lock all rows first so nobody else can read it lockAccountAndOwnerDomainRows(account.getId(), type); // Check account limits checkAccountResourceLimit(account, projectFinal, type, numResources); // check all domains in the account's domain hierarchy checkDomainResourceLimit(account, projectFinal, type, numResources); } }); }
@Override public boolean canModifyProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canModifyProjectAccount(caller.getId(), accountId); }
@Override public boolean canAccessProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canAccessProjectAccount(caller.getId(), accountId); }
@DB @Override public void releasePodIp(Long id) throws CloudRuntimeException { // Verify input parameters DataCenterIpAddressVO ipVO = _privateIPAddressDao.findById(id); if (ipVO == null) { throw new CloudRuntimeException("Unable to find ip address by id:" + id); } if (ipVO.getTakenAt() == null) { s_logger.debug("Ip Address with id= " + id + " is not allocated, so do nothing."); throw new CloudRuntimeException("Ip Address with id= " + id + " is not allocated, so do nothing."); } // Verify permission DataCenter zone = _entityMgr.findById(DataCenter.class, ipVO.getDataCenterId()); Account caller = CallContext.current().getCallingAccount(); if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { throw new CloudRuntimeException("Cannot perform this operation, " + "Zone is currently disabled" + "zoneId=" + ipVO.getDataCenterId()); } try { _privateIPAddressDao.releasePodIpAddress(id); } catch (Exception e) { new CloudRuntimeException(e.getMessage()); } }
protected boolean revokeFirewallRule(long ruleId, boolean apply, Account caller, long userId) { FirewallRuleVO rule = _firewallDao.findById(ruleId); if (rule == null || rule.getPurpose() != Purpose.Firewall) { throw new InvalidParameterValueException("Unable to find " + ruleId + " having purpose " + Purpose.Firewall); } if (rule.getType() == FirewallRuleType.System && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Only root admin can delete the system wide firewall rule"); } _accountMgr.checkAccess(caller, null, true, rule); revokeRule(rule, caller, userId, false); boolean success = false; Long networkId = rule.getNetworkId(); if (apply) { // ingress firewall rule if (rule.getSourceIpAddressId() != null) { //feteches ingress firewall, ingress firewall rules associated with the ip List<FirewallRuleVO> rules = _firewallDao.listByIpAndPurpose(rule.getSourceIpAddressId(), Purpose.Firewall); return applyFirewallRules(rules, false, caller); //egress firewall rule } else if (networkId != null) { List<FirewallRuleVO> rules = _firewallDao.listByNetworkPurposeTrafficType(rule.getNetworkId(), Purpose.Firewall, FirewallRule.TrafficType.Egress); return applyFirewallRules(rules, false, caller); } } else { success = true; } return success; }
@Override @ActionEvent(eventType = EventTypes.EVENT_NETWORK_DELETE, eventDescription = "deleting network", async = true) public boolean deleteNetwork(long networkId, boolean forced) { Account caller = CallContext.current().getCallingAccount(); // Verify network id NetworkVO network = _networksDao.findById(networkId); if (network == null) { // see NetworkVO.java throwInvalidIdException("unable to find network with specified id", String.valueOf(networkId), "networkId"); } // don't allow to delete system network if (isNetworkSystem(network)) { throwInvalidIdException("Network with specified id is system and can't be removed", network.getUuid(), "networkId"); } Account owner = _accountMgr.getAccount(network.getAccountId()); // Only Admin can delete Shared and L2 networks if ((network.getGuestType() == GuestType.Shared || network.getGuestType() == GuestType.L2) && !_accountMgr.isAdmin(caller.getId())) { throw new InvalidParameterValueException("Only Admins can delete network with guest type " + network.getGuestType()); } // Perform permission check _accountMgr.checkAccess(caller, null, true, network); if (forced && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins"); } User callerUser = _accountMgr.getActiveUser(CallContext.current().getCallingUserId()); ReservationContext context = new ReservationContextImpl(null, null, callerUser, owner); return _networkMgr.destroyNetwork(networkId, context, forced); }
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot perform this operation, Zone is currently disabled: " + zone.getName());
if (Grouping.AllocationState.Disabled == zone.getAllocationState() && !_accountMgr.isRootAdmin(caller.getId())) { ResourceAllocationException ex = new ResourceAllocationException("Cannot perform this operation, " + "Zone is currently disabled" + "zoneId=" + zone.getUuid(), ResourceType.network);