コード例 #1
0
  /**
   * Validates the individual list of acl entries. It is not valid acl entries list, when an acl
   * entry contains more than one privilege or privileges other than USE and if the tenant provided
   * in the acl entry is not a valid tenant org.
   *
   * @param aclEntries acl entries to be validated.
   */
  private void validateAclEntries(List<ACLEntry> aclEntries) {
    if (CollectionUtils.isEmpty(aclEntries)) {
      return;
    }

    Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
    while (aclEntryIterator.hasNext()) {
      ACLEntry aclEntry = aclEntryIterator.next();

      // If more than one privileges provided the ACL Entry, it is not supported
      // for vCenter ACL. Only USE ACL can be provided.
      if (aclEntry.getAces().size() != 1) {
        throw APIException.badRequests.unsupportedNumberOfPrivileges(
            URI.create(aclEntry.getTenant()), aclEntry.getAces());
      }

      if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
        throw APIException.badRequests.unsupportedPrivilege(
            URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
      }

      // Validate if the provided tenant is a valid tenant or not.
      URI tenantId = URI.create(aclEntry.getTenant());
      TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
      ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
    }
  }
コード例 #2
0
  /**
   * Adds the tenant to the vCenter acls if the tenant admin is creating it. This always sets the
   * vCenter tenant (the old deprecated filed to null).
   *
   * @param tenant a valid tenant org if the tenant admin is creating it.
   * @param vcenter the vCenter being created.
   */
  private void addVcenterAclIfTenantAdmin(TenantOrg tenant, Vcenter vcenter) {
    // Always set the deprecated tenant field of a vCenter to null.
    vcenter.setTenant(NullColumnValueGetter.getNullURI());

    if (isSystemAdmin()) {
      return;
    }

    URI tenantId;
    if (tenant != null) {
      tenantId = tenant.getId();
    } else {
      // If the tenant org is not valid, try to use the
      // user's tenant org.
      tenantId = URI.create(getUserFromContext().getTenantId());
    }

    // If the User is an admin in the tenant org, allow the
    // operation otherwise, report the insufficient permission
    // exception.
    if (_permissionsHelper.userHasGivenRole(getUserFromContext(), tenantId, Role.TENANT_ADMIN)) {
      // Generate the acl entry and add to the vCenters acls.
      String aclKey = _permissionsHelper.getTenantUsePermissionKey(tenantId.toString());
      vcenter.addAcl(aclKey, ACL.USE.name());
      _log.debug("Adding {} to the vCenter {} acls", aclKey, vcenter.getLabel());
    }
  }