Refine search
private void checkAccountResourceLimit(final Account account, final Project project, final ResourceType type, long numResources) throws ResourceAllocationException { // Check account limits long accountResourceLimit = findCorrectResourceLimitForAccount(account, type); long currentResourceCount = _resourceCountDao.getResourceCount(account.getId(), ResourceOwnerType.Account, type); long requestedResourceCount = currentResourceCount + numResources; String messageSuffix = " amount of resources of Type = '" + type + "' for " + (project == null ? "Account Name = " + account.getAccountName() : "Project Name = " + project.getName()) + " in Domain Id = " + account.getDomainId() + " is exceeded: Account Resource Limit = " + accountResourceLimit + ", Current Account Resource Amount = " + currentResourceCount + ", Requested Resource Amount = " + numResources + "."; if (s_logger.isDebugEnabled()) { s_logger.debug("Checking if" + messageSuffix); } if (accountResourceLimit != Resource.RESOURCE_UNLIMITED && requestedResourceCount > accountResourceLimit) { String message = "Maximum" + messageSuffix; ResourceAllocationException e = new ResourceAllocationException(message, type); s_logger.error(message, e); throw e; } }
@Override public long getEntityOwnerId() { Account activeAccountByName = _accountService.getActiveAccountByName(accountName, domainId); if (activeAccountByName != null) { return activeAccountByName.getAccountId(); } return Account.ACCOUNT_ID_SYSTEM; }
Account account = new Account(); Contact contact = new Contact(); account.addToContact(contact); em.persist(account); em.flush(); assertNotNull(account.getId()); assertNotNull(account.getContacts().get(0).getId()); assertEquals(1, account.getContacts().size()); account.removeFromContact(contact); em.merge(account); em.flush(); assertEquals(0, account.getContacts().size());
@Override public boolean canAccessProjectAccount(Account caller, long accountId) { //ROOT admin always can access the project if (_accountMgr.isRootAdmin(caller.getId())) { return true; } else if (_accountMgr.isDomainAdmin(caller.getId())) { Account owner = _accountMgr.getAccount(accountId); _accountMgr.checkAccess(caller, _domainDao.findById(owner.getDomainId())); return true; } return _projectAccountDao.canAccessProjectAccount(caller.getId(), accountId); }
@Override public void onPublishMessage(String senderAddress, String subject, Object args) { try { final Account account = accountDao.findByIdIncludingRemoved((Long) args); if(!removeUserAccount(account)) { LOG.warn(String.format("Failed to remove account to Cloudian while removing CloudStack account=%s, id=%s", account.getAccountName(), account.getId())); } } catch (final Exception e) { LOG.error("Caught exception while removing account in Cloudian: ", e); } } });
s_logger.debug("Console/thumbnail access denied. VM " + vmId + " does not exist in system any more"); return false; if (_accountMgr.isRootAdmin(accountObj.getId())) return true; case User: try { _accountMgr.checkAccess(accountObj, null, true, vm); } catch (PermissionDeniedException ex) { if (_accountMgr.isNormalUser(accountObj.getId())) { if (s_logger.isDebugEnabled()) { s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " + accountObj.getId() + " and caller is a normal user"); } else if (_accountMgr.isDomainAdmin(accountObj.getId()) || accountObj.getType() == Account.ACCOUNT_TYPE_READ_ONLY_ADMIN) { if(s_logger.isDebugEnabled()) { s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " + accountObj.getId() + " and the domain-admin caller does not manage the target domain");
@Override public void onPublishMessage(String senderAddress, String subject, Object args) { try { final Map<Long, Long> accountGroupMap = (Map<Long, Long>) args; final Long accountId = accountGroupMap.keySet().iterator().next(); final Account account = accountDao.findById(accountId); final Domain domain = domainDao.findById(account.getDomainId()); if (!addUserAccount(account, domain)) { LOG.warn(String.format("Failed to add account in Cloudian while adding CloudStack account=%s in domain=%s", account.getAccountName(), domain.getPath())); } } catch (final Exception e) { LOG.error("Caught exception while adding account in Cloudian: ", e); } } });
private void checkCommandAvailable(final User user, final String commandName, final InetAddress remoteAddress) throws PermissionDeniedException { if (user == null) { throw new PermissionDeniedException("User is null for role based API access check for command" + commandName); } final Account account = accountMgr.getAccount(user.getAccountId()); final String accessAllowedCidrs = ApiServiceConfiguration.ApiAllowedSourceCidrList.valueIn(account.getId()).replaceAll("\\s",""); final Boolean apiSourceCidrChecksEnabled = ApiServiceConfiguration.ApiSourceCidrChecksEnabled.value(); if (apiSourceCidrChecksEnabled) { s_logger.debug("CIDRs from which account '" + account.toString() + "' is allowed to perform API calls: " + accessAllowedCidrs); if (!NetUtils.isIpInCidrList(remoteAddress, accessAllowedCidrs.split(","))) { s_logger.warn("Request by account '" + account.toString() + "' was denied since " + remoteAddress + " does not match " + accessAllowedCidrs); throw new PermissionDeniedException("Calls for domain '" + account.getAccountName() + "' are not allowed from ip address '" + remoteAddress.getHostAddress()); } } for (final APIChecker apiChecker : apiAccessCheckers) { apiChecker.checkAccess(user, commandName); } }
if (processor.isAdminControlledGroup() && !_accountMgr.isRootAdmin(caller.getId())) { throw new PermissionDeniedException("Cannot create the affinity group"); verifyAccessToDomainWideProcessor(caller, processor); DomainVO domain = getDomain(domainId); _accountMgr.checkAccess(caller, domain); owner = _accountMgr.getAccount(Account.ACCOUNT_ID_SYSTEM); aclType = ControlledEntity.ACLType.Domain; domainLevel = true; verifyAffinityGroupNameInUse(owner.getAccountId(), owner.getDomainId(), affinityGroupName); verifyDomainLevelAffinityGroupName(domainLevel, owner.getDomainId(), affinityGroupName); if (s_logger.isDebugEnabled()) { s_logger.debug("Created affinity group =" + affinityGroupName);
private long getNewAccountId(long domainId, String accountName, Long accountId) { Account newAccount = null; if (StringUtils.isNotBlank(accountName)) { if (s_logger.isDebugEnabled()) { s_logger.debug("Getting id for account by name '" + accountName + "' in domain " + domainId); } newAccount = _accountDao.findEnabledAccount(accountName, domainId); } if (newAccount == null && accountId != null) { newAccount = _accountDao.findById(accountId); } if (newAccount == null) { throw new CloudRuntimeException("no account name or account id. this should have been caught before this point"); } checkIfNotMovingAcrossDomains(domainId, newAccount); return newAccount.getAccountId(); }
@Override public AcquirePodIpCmdResponse allocatePodIp(Account ipOwner, String zoneId, String podId) throws ResourceAllocationException { Account caller = CallContext.current().getCallingAccount(); long callerUserId = CallContext.current().getCallingUserId(); DataCenter zone = _entityMgr.findByUuid(DataCenter.class, zoneId); if (zone == null) { throw new InvalidParameterValueException("Invalid zone Id "); } if (_accountMgr.checkAccessAndSpecifyAuthority(caller, zone.getId()) != zone.getId()) { throw new InvalidParameterValueException("Caller does not have permission for this Zone" + "(" + zoneId + ")"); } if (s_logger.isDebugEnabled()) { s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId()); } return _ipAddrMgr.allocatePodIp(zoneId, podId); }
_accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); if (s_logger.isDebugEnabled()) { s_logger.debug("Associate IP address called by the user " + callerUserId + " account " + ipOwner.getId()); _accountMgr.checkAccess(caller, null, false, ipOwner);
Account futureOwnerAccount = _accountMgr.getActiveAccountByName(newOwnerName, project.getDomainId()); if (futureOwnerAccount == null) { throw new InvalidParameterValueException("Unable to find account name=" + newOwnerName + " in domain id=" + project.getDomainId()); s_logger.error("Unable to find the current owner for the project id=" + projectId); throw new InvalidParameterValueException("Unable to find the current owner for the project id=" + projectId); if (currentOwnerAccount.getId() != futureOwnerAccount.getId()) { ProjectAccountVO futureOwner = _projectAccountDao.findByProjectIdAccountId(projectId, futureOwnerAccount.getAccountId()); if (futureOwner == null) { throw new InvalidParameterValueException("Account " + newOwnerName + _resourceLimitMgr.checkResourceLimit(_accountMgr.getAccount(futureOwnerAccount.getId()), ResourceType.project); ProjectAccountVO currentOwner = _projectAccountDao.findByProjectIdAccountId(projectId, currentOwnerAccount.getId()); currentOwner.setAccountRole(Role.Regular); _projectAccountDao.update(currentOwner.getId(), currentOwner); _resourceLimitMgr.decrementResourceCount(currentOwnerAccount.getId(), ResourceType.project); _resourceLimitMgr.incrementResourceCount(futureOwnerAccount.getId(), ResourceType.project); s_logger.trace("Future owner " + newOwnerName + "is already the owner of the project id=" + projectId);
@Override public Boolean doInTransaction(TransactionStatus status) { s_logger.debug("Marking project id=" + project.getId() + " with state " + State.Disabled + " as a part of project delete..."); project.setState(State.Disabled); boolean updateResult = _projectDao.update(project.getId(), project); //owner can be already removed at this point, so adding the conditional check Account projectOwner = getProjectOwner(project.getId()); if (projectOwner != null) { _resourceLimitMgr.decrementResourceCount(projectOwner.getId(), ResourceType.project); } return updateResult; } });
@Override public Role findRole(Long id) { if (id == null || id < 1L) { logger.trace(String.format("Role ID is invalid [%s]", id)); return null; } RoleVO role = roleDao.findById(id); if (role == null) { logger.trace(String.format("Role not found [id=%s]", id)); return null; } Account account = getCurrentAccount(); if (!accountManager.isRootAdmin(account.getId()) && RoleType.Admin == role.getRoleType()) { logger.debug(String.format("Role [id=%s, name=%s] is of 'Admin' type and is only visible to 'Root admins'.", id, role.getName())); return null; } return role; }
@Override public void doInTransactionWithoutResult(TransactionStatus status) { Account owner = _accountMgr.getAccount(addr.getAllocatedToAccountId()); if (_ipAddressDao.lockRow(addr.getId(), true) != null) { final IPAddressVO userIp = _ipAddressDao.findById(addr.getId()); if (userIp.getState() == IpAddress.State.Allocating || addr.getState() == IpAddress.State.Free) { addr.setState(IpAddress.State.Allocated); if (_ipAddressDao.update(addr.getId(), addr)) { // Save usage event if (owner.getAccountId() != Account.ACCOUNT_ID_SYSTEM) { VlanVO vlan = _vlanDao.findById(addr.getVlanId()); String guestType = vlan.getVlanType().toString(); if (!isIpDedicated(addr)) { UsageEventUtils.publishUsageEvent(EventTypes.EVENT_NET_IP_ASSIGN, owner.getId(), addr.getDataCenterId(), addr.getId(), addr.getAddress().toString(), addr.isSourceNat(), guestType, addr.getSystem(), addr.getClass().getName(), addr.getUuid()); } if (updateIpResourceCount(addr)) { _resourceLimitMgr.incrementResourceCount(owner.getId(), ResourceType.public_ip); } } } else { s_logger.error("Failed to mark public IP as allocated with id=" + addr.getId() + " address=" + addr.getAddress()); } } } else { s_logger.error("Failed to acquire row lock to mark public IP as allocated with id=" + addr.getId() + " address=" + addr.getAddress()); } } });
Account owner = _accountMgr.finalizeOwner(caller, cmd.getAccountName(), cmd.getDomainId(), cmd.getProjectId()); Long vmId = cmd.getId(); s_logger.error("vm is not in the right state: " + vmId); throw new InvalidParameterValueException("Vm with specified id is not in the right state"); s_logger.error("vm is not in the right state: " + vmId); throw new InvalidParameterValueException("Vm " + userVm + " should be stopped to do SSH Key reset"); SSHKeyPairVO s = _sshKeyPairDao.findByName(owner.getAccountId(), owner.getDomainId(), cmd.getName()); if (s == null) { throw new InvalidParameterValueException("A key pair with name '" + cmd.getName() + "' does not exist for account " + owner.getAccountName() + " in specified domain id"); _accountMgr.checkAccess(caller, null, true, userVm); String password = null; String sshPublicKey = s.getPublicKey();
@Override public LinkAccountToLdapResponse linkAccountToLdap(LinkAccountToLdapCmd cmd) { Validate.notNull(_ldapConfiguration.getBaseDn(cmd.getDomainId()), "can not link an account to ldap in a domain for which no basdn is configured"); Validate.notNull(cmd.getDomainId(), "domainId cannot be null."); Validate.notEmpty(cmd.getAccountName(), "accountName cannot be empty."); Validate.notEmpty(cmd.getLdapDomain(), "ldapDomain cannot be empty, please supply a GROUP or OU name"); Validate.notNull(cmd.getType(), "type cannot be null. It should either be GROUP or OU"); Validate.notEmpty(cmd.getLdapDomain(), "GROUP or OU name cannot be empty"); LinkType linkType = LdapManager.LinkType.valueOf(cmd.getType().toUpperCase()); Account account = accountDao.findActiveAccount(cmd.getAccountName(),cmd.getDomainId()); if (account == null) { account = new AccountVO(cmd.getAccountName(), cmd.getDomainId(), null, cmd.getAccountType(), UUID.randomUUID().toString()); accountDao.persist((AccountVO)account); } Long accountId = account.getAccountId(); LdapTrustMapVO vo = _ldapTrustMapDao.persist(new LdapTrustMapVO(cmd.getDomainId(), linkType, cmd.getLdapDomain(), cmd.getAccountType(), accountId)); DomainVO domain = domainDao.findById(vo.getDomainId()); String domainUuid = "<unknown>"; if (domain == null) { s_logger.error("no domain in database for id " + vo.getDomainId()); } else { domainUuid = domain.getUuid(); } LinkAccountToLdapResponse response = new LinkAccountToLdapResponse(domainUuid, vo.getType().toString(), vo.getName(), vo.getAccountType(), account.getUuid(), cmd.getAccountName()); return response; } }
private void populateAccount(ControlledEntityResponse response, long accountId) { Account account = ApiDBUtils.findAccountById(accountId); if (account == null) { s_logger.debug("Unable to find account with id: " + accountId); } else if (account.getType() == Account.ACCOUNT_TYPE_PROJECT) { // find the project Project project = ApiDBUtils.findProjectByProjectAccountId(account.getId()); if (project != null) { response.setProjectId(project.getUuid()); response.setProjectName(project.getName()); response.setAccountName(account.getAccountName()); } else { s_logger.debug("Unable to find project with id: " + account.getId()); } } else { response.setAccountName(account.getAccountName()); } }