After merge, fix isRootAdmin() calls to use accountId instead of type
diff --git a/api/src/com/cloud/user/AccountService.java b/api/src/com/cloud/user/AccountService.java index 85c71ca..7e37b38 100755 --- a/api/src/com/cloud/user/AccountService.java +++ b/api/src/com/cloud/user/AccountService.java
@@ -88,9 +88,9 @@ User getUserIncludingRemoved(long userId); - boolean isRootAdmin(long accountId); + boolean isRootAdmin(Long accountId); - boolean isDomainAdmin(long accountId); + boolean isDomainAdmin(Long accountId); boolean isNormalUser(long accountId);
diff --git a/server/src/com/cloud/api/query/QueryManagerImpl.java b/server/src/com/cloud/api/query/QueryManagerImpl.java index 0554e3a..b932d42 100644 --- a/server/src/com/cloud/api/query/QueryManagerImpl.java +++ b/server/src/com/cloud/api/query/QueryManagerImpl.java
@@ -520,7 +520,7 @@ _accountMgr.buildACLViewSearchCriteria(sc, aclSc, isRecursive, permittedDomains, permittedAccounts, permittedResources, listProjectResourcesCriteria); // For end users display only enabled events - if(!_accountMgr.isRootAdmin(caller.getType())){ + if (!_accountMgr.isRootAdmin(caller.getId())) { sc.setParameters("displayEvent", true); }
diff --git a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java index 74c141e..c1f336c 100644 --- a/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java +++ b/server/src/com/cloud/deploy/DeploymentPlanningManagerImpl.java
@@ -508,7 +508,7 @@ // check if zone is dedicated. if yes check if vm owner has acess to it. DedicatedResourceVO dedicatedZone = _dedicatedDao.findByZoneId(dc.getId()); - if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getType())) { + if (dedicatedZone != null && !_accountMgr.isRootAdmin(vmProfile.getOwner().getId())) { long accountDomainId = vmProfile.getOwner().getDomainId(); long accountId = vmProfile.getOwner().getAccountId();
diff --git a/server/src/com/cloud/network/NetworkServiceImpl.java b/server/src/com/cloud/network/NetworkServiceImpl.java index be95a36..9185d84 100755 --- a/server/src/com/cloud/network/NetworkServiceImpl.java +++ b/server/src/com/cloud/network/NetworkServiceImpl.java
@@ -1805,7 +1805,7 @@ // Perform permission check _accountMgr.checkAccess(caller, null, true, network); - if (forced && !_accountMgr.isRootAdmin(caller.getType())) { + if (forced && !_accountMgr.isRootAdmin(caller.getId())) { throw new InvalidParameterValueException("Delete network with 'forced' option can only be called by root admins"); }
diff --git a/server/src/com/cloud/storage/VolumeApiServiceImpl.java b/server/src/com/cloud/storage/VolumeApiServiceImpl.java index 5ce07f0..30b5479 100644 --- a/server/src/com/cloud/storage/VolumeApiServiceImpl.java +++ b/server/src/com/cloud/storage/VolumeApiServiceImpl.java
@@ -386,7 +386,7 @@ if (displayVolume == null) { displayVolume = true; } else { - if (!_accountMgr.isRootAdmin(caller.getType())) { + if (!_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot update parameter displayvolume, only admin permitted "); } }
diff --git a/server/src/com/cloud/user/AccountManagerImpl.java b/server/src/com/cloud/user/AccountManagerImpl.java index 04d3e23..1b68b0c 100755 --- a/server/src/com/cloud/user/AccountManagerImpl.java +++ b/server/src/com/cloud/user/AccountManagerImpl.java
@@ -366,37 +366,40 @@ } @Override - public boolean isRootAdmin(long accountId) { - AccountVO acct = _accountDao.findById(accountId); - for (SecurityChecker checker : _securityCheckers) { - try { - if (checker.checkAccess(acct, null, null, "SystemCapability")) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + public boolean isRootAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + for (SecurityChecker checker : _securityCheckers) { + try { + if (checker.checkAccess(acct, null, null, "SystemCapability")) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + } + return true; } - return true; + } catch (PermissionDeniedException ex) { + return false; } - } catch (PermissionDeniedException ex) { - return false; } } - return false; } @Override - public boolean isDomainAdmin(long accountId) { - AccountVO acct = _accountDao.findById(accountId); - for (SecurityChecker checker : _securityCheckers) { - try { - if (checker.checkAccess(acct, null, null, "DomainCapability")) { - if (s_logger.isDebugEnabled()) { - s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + public boolean isDomainAdmin(Long accountId) { + if (accountId != null) { + AccountVO acct = _accountDao.findById(accountId); + for (SecurityChecker checker : _securityCheckers) { + try { + if (checker.checkAccess(acct, null, null, "DomainCapability")) { + if (s_logger.isDebugEnabled()) { + s_logger.debug("Root Access granted to " + acct + " by " + checker.getName()); + } + return true; } - return true; + } catch (PermissionDeniedException ex) { + return false; } - } catch (PermissionDeniedException ex) { - return false; } } return false;
diff --git a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java index c514746..a1d1452 100644 --- a/server/src/com/cloud/uuididentity/UUIDManagerImpl.java +++ b/server/src/com/cloud/uuididentity/UUIDManagerImpl.java
@@ -50,7 +50,7 @@ Account caller = CallContext.current().getCallingAccount(); // Only admin and system allowed to do this - if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getType()))) { + if (!(caller.getId() == Account.ACCOUNT_ID_SYSTEM || _accountMgr.isRootAdmin(caller.getId()))) { throw new PermissionDeniedException("Please check your permissions, you are not allowed to create/update custom id"); }
diff --git a/server/test/com/cloud/user/MockAccountManagerImpl.java b/server/test/com/cloud/user/MockAccountManagerImpl.java index b411b18..f373cba 100644 --- a/server/test/com/cloud/user/MockAccountManagerImpl.java +++ b/server/test/com/cloud/user/MockAccountManagerImpl.java
@@ -162,7 +162,7 @@ } @Override - public boolean isRootAdmin(long accountId) { + public boolean isRootAdmin(Long accountId) { // TODO Auto-generated method stub return false; } @@ -298,7 +298,7 @@ } @Override - public boolean isDomainAdmin(long accountId) { + public boolean isDomainAdmin(Long accountId) { // TODO Auto-generated method stub return false; } @@ -356,4 +356,5 @@ return null; } + }
diff --git a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java index 02bb702..3fe854a 100644 --- a/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java +++ b/services/iam/plugin/src/org/apache/cloudstack/iam/RoleBasedEntityAccessChecker.java
@@ -63,6 +63,9 @@ public boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException { + if (caller == null) { + throw new InvalidParameterValueException("Caller cannot be passed as NULL to IAM!"); + } if (entity == null && action != null) { // check if caller can do this action List<IAMPolicy> policies = _iamSrv.listIAMPolicies(caller.getAccountId());