After merge, fix isRootAdmin() calls to use accountId instead of type
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java
index 85c71ca..7e37b38 100755
--- a/api/src/com/cloud/user/AccountService.java
+++ b/api/src/com/cloud/user/AccountService.java
@@ -88,9 +88,9 @@
User getUserIncludingRemoved(long userId);
- boolean isRootAdmin(long accountId);
+ boolean isRootAdmin(Long accountId);
- boolean isDomainAdmin(long accountId);
+ boolean isDomainAdmin(Long accountId);
boolean isNormalUser(long accountId);
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java
index 0554e3a..b932d42 100644
--- a/server/src/com/cloud/api/query/QueryManagerImpl.java
+++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -520,7 +520,7 @@
_accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria);
// For end users display only enabled events
- if(!_accountMgr.isRootAdmin(caller.getType())){
+ if (!_accountMgr.isRootAdmin(caller.getId())) {
sc.setParameters("displayEvent", true);
}
diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
index 74c141e..c1f336c 100644
--- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
+++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
@@ -508,7 +508,7 @@
// check if zone is dedicated. if yes check if vm owner has acess to it.
DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId());
- if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) {
+ if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getId())) {
long accountDomainId = vmProfile.getOwner().getDomainId();
long accountId = vmProfile.getOwner().getAccountId();
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java
index be95a36..9185d84 100755
--- a/server/src/com/cloud/network/NetworkServiceImpl.java
+++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -1805,7 +1805,7 @@
// Perform permission check
_accountMgr.checkAccess(caller, null, true, network);
- if (forced && !_accountMgr.isRootAdmin(caller.getType())) {
+ if (forced && !_accountMgr.isRootAdmin(caller.getId())) {
throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins");
}
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
index 5ce07f0..30b5479 100644
--- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java
+++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -386,7 +386,7 @@
if (displayVolume == null) {
displayVolume = true;
} else {
- if (!_accountMgr.isRootAdmin(caller.getType())) {
+ if (!_accountMgr.isRootAdmin(caller.getId())) {
throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted ");
}
}
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java
index 04d3e23..1b68b0c 100755
--- a/server/src/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -366,37 +366,40 @@
}
@Override
- public boolean isRootAdmin(long accountId) {
- AccountVO acct = _accountDao.findById(accountId);
- for (SecurityChecker checker : _securityCheckers) {
- try {
- if (checker.checkAccess(acct, null, null, "SystemCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ public boolean isRootAdmin(Long accountId) {
+ if (accountId != null) {
+ AccountVO acct = _accountDao.findById(accountId);
+ for (SecurityChecker checker : _securityCheckers) {
+ try {
+ if (checker.checkAccess(acct, null, null, "SystemCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
- } catch (PermissionDeniedException ex) {
- return false;
}
}
-
return false;
}
@Override
- public boolean isDomainAdmin(long accountId) {
- AccountVO acct = _accountDao.findById(accountId);
- for (SecurityChecker checker : _securityCheckers) {
- try {
- if (checker.checkAccess(acct, null, null, "DomainCapability")) {
- if (s_logger.isDebugEnabled()) {
- s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ public boolean isDomainAdmin(Long accountId) {
+ if (accountId != null) {
+ AccountVO acct = _accountDao.findById(accountId);
+ for (SecurityChecker checker : _securityCheckers) {
+ try {
+ if (checker.checkAccess(acct, null, null, "DomainCapability")) {
+ if (s_logger.isDebugEnabled()) {
+ s_logger.debug("Root Access granted to " + acct + " by " + checker.getName());
+ }
+ return true;
}
- return true;
+ } catch (PermissionDeniedException ex) {
+ return false;
}
- } catch (PermissionDeniedException ex) {
- return false;
}
}
return false;
diff --git a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
index c514746..a1d1452 100644
--- a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
+++ b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
@@ -50,7 +50,7 @@
Account caller = CallContext.current().getCallingAccount();
// Only admin and system allowed to do this
- if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))) {
+ if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) {
throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id");
}
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java
index b411b18..f373cba 100644
--- a/server/test/com/cloud/user/MockAccountManagerImpl.java
+++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -162,7 +162,7 @@
}
@Override
- public boolean isRootAdmin(long accountId) {
+ public boolean isRootAdmin(Long accountId) {
// TODO Auto-generated method stub
return false;
}
@@ -298,7 +298,7 @@
}
@Override
- public boolean isDomainAdmin(long accountId) {
+ public boolean isDomainAdmin(Long accountId) {
// TODO Auto-generated method stub
return false;
}
@@ -356,4 +356,5 @@
return null;
}
+
}
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
index 02bb702..3fe854a 100644
--- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
+++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -63,6 +63,9 @@
public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action)
throws PermissionDeniedException {
+ if (caller == null) {
+ throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!");
+ }
if (entity == null && action != null) {
// check if caller can do this action
List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());
