/** * Validates the individual list of acl entries. It is not valid acl entries list, when an acl * entry contains more than one privilege or privileges other than USE and if the tenant provided * in the acl entry is not a valid tenant org. * * @param aclEntries acl entries to be validated. */ private void validateAclEntries(List<ACLEntry> aclEntries) { if (CollectionUtils.isEmpty(aclEntries)) { return; } Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator(); while (aclEntryIterator.hasNext()) { ACLEntry aclEntry = aclEntryIterator.next(); // If more than one privileges provided the ACL Entry, it is not supported // for vCenter ACL. Only USE ACL can be provided. if (aclEntry.getAces().size() != 1) { throw APIException.badRequests.unsupportedNumberOfPrivileges( URI.create(aclEntry.getTenant()), aclEntry.getAces()); } if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) { throw APIException.badRequests.unsupportedPrivilege( URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0)); } // Validate if the provided tenant is a valid tenant or not. URI tenantId = URI.create(aclEntry.getTenant()); TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true); ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId)); } }
/** * Gets the current acl assignments of the requested vCenter. * * @param vcenterId * @return the list of acl assignments of the requested vCenter. */ private ACLAssignments getAclAssignmentsResponse(URI vcenterId) { Vcenter vcenter = queryObject(Vcenter.class, vcenterId, true); ArgValidator.checkEntity(vcenter, vcenterId, isIdEmbeddedInURL(vcenterId)); ACLAssignments response = new ACLAssignments(); response.setAssignments(_permissionsHelper.convertToACLEntries(vcenter.getAcls())); return response; }
/** * Lists the id and name of all the vCenters that belong to the given tenant organization if the * requesting user is a SysAdmin or SecAdmin. If the requested user is a TenantAdmin and user is a * tenant of the "tenant" given in the query param then all the vCenters of the tenant query param * will be returned otherwise returned only the vCenters that the user's tenant shares. * * @param tid tenant to filter the vCenters. "No-Filter" or "null" indicates, listing all the * vCenters in the system. "Not-Assigned" indicates, list all the vCenters with no tenants * assigned to it. * @return a list of vCenters that belong to the tenant organization. * @throws DatabaseException when a DB error occurs */ @GET @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) public VcenterList listVcenters(@QueryParam("tenant") final URI tid) throws DatabaseException { VcenterList list = new VcenterList(); List<Vcenter> vcenters = null; if (isSecurityAdmin() || isSystemAdmin()) { _log.debug("Fetching vCenters for {}", tid); if (NullColumnValueGetter.isNullURI(tid) || Vcenter.NO_TENANT_SELECTOR.equalsIgnoreCase(tid.toString())) { vcenters = getDataObjects(Vcenter.class); list.setVcenters( map( ResourceTypeEnum.VCENTER, getNamedElementsList(Vcenter.class, DATAOBJECT_NAME_FIELD, vcenters))); } else if (Vcenter.TENANT_SELECTOR_FOR_UNASSIGNED.equalsIgnoreCase(tid.toString())) { vcenters = getDataObjects(Vcenter.class); list.setVcenters( map( ResourceTypeEnum.VCENTER, getNamedElementsWithNoAcls(Vcenter.class, DATAOBJECT_NAME_FIELD, vcenters))); } else { ArgValidator.checkEntity(_dbClient.queryObject(tid), tid, isIdEmbeddedInURL(tid)); list.setVcenters( map( ResourceTypeEnum.VCENTER, listChildrenWithAcls(tid, Vcenter.class, DATAOBJECT_NAME_FIELD))); } return list; } vcenters = getDataObjects(Vcenter.class); if (!CollectionUtils.isEmpty(vcenters)) { List<Vcenter> tenantVcenterList = null; if (shouldTenantAdminUseTenantParam(tid)) { // If the tenant admin can use the tid query param, then the filtering should // happen based on the tenant query param. tenantVcenterList = filterVcentersByTenant(vcenters, tid); } else { // Get the vCenters based on the User's tenant org. If the user is not a tenant admin, // insufficient // permission exception will be thrown. tenantVcenterList = filterVcentersByTenant(vcenters, NullColumnValueGetter.getNullURI()); } list.setVcenters( map( ResourceTypeEnum.VCENTER, getNamedElementsList(Vcenter.class, DATAOBJECT_NAME_FIELD, tenantVcenterList))); } return list; }
/** * Detaches storage from the vcenter. * * @param id the URN of a ViPR vcenter * @brief Detach storage from vcenter * @return task * @throws DatabaseException when a DB error occurs */ @POST @Path("/{id}/detach-storage") @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) @CheckPermission(roles = {Role.SYSTEM_ADMIN, Role.TENANT_ADMIN}) public TaskResourceRep detachStorage(@PathParam("id") URI id) throws DatabaseException { Vcenter vcenter = queryObject(Vcenter.class, id, true); ArgValidator.checkEntity(vcenter, id, true); checkIfOtherTenantsUsingTheVcenter(vcenter); String taskId = UUID.randomUUID().toString(); Operation op = _dbClient.createTaskOpStatus( Vcenter.class, vcenter.getId(), taskId, ResourceOperationTypeEnum.DETACH_VCENTER_DATACENTER_STORAGE); ComputeSystemController controller = getController(ComputeSystemController.class, null); controller.detachVcenterStorage(vcenter.getId(), false, taskId); return toTask(vcenter, taskId, op); }
/** * Add or remove individual Access Control List entry(s). When the vCenter is created with no * shared access (Vcenter.shared = Boolean.FALSE), there cannot be multiple Access Control List * Entries associated with this vCenter. * * @param changes Access Control List assignment changes. Request body must include at least one * add or remove operation * @param id the URN of a ViPR Project. * @return the vCenter discovery async task. */ @PUT @Path("/{id}/acl") @Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) @CheckPermission(roles = {Role.SECURITY_ADMIN, Role.SYSTEM_ADMIN}) public TaskResourceRep updateAclAssignments( @PathParam("id") URI id, ACLAssignmentChanges changes) { // Make sure the vCenter is a valid one. Vcenter vcenter = queryObject(Vcenter.class, id, true); ArgValidator.checkEntity(vcenter, id, isIdEmbeddedInURL(id)); // Validate the acl assignment changes. It is not valid when an // acl entry contains more than one privilege or privileges // other than USE. validateAclAssignments(changes); // Make sure that the vCenter with respect to the tenants // that we are removing is not in use (means the datacenters // and its clusters and hosts with the removing tenant do not // have any exports). checkVcenterUsage(vcenter, changes); _permissionsHelper.updateACLs( vcenter, changes, new PermissionsHelper.UsageACLFilter(_permissionsHelper)); _dbClient.updateAndReindexObject(vcenter); auditOp( OperationTypeEnum.UPDATE_VCENTER, true, null, vcenter.getId().toString(), vcenter.getLabel(), changes); // Rediscover the vCenter, this will update the updated // list of tenants based its latest acls to its datacenters // and hosts and clusters. return doDiscoverVcenter(queryObject(Vcenter.class, vcenter.getId(), true)); }
/** * List the vCenter data centers of the vCenter. * * @param id the URN of a ViPR vCenter * @param tid tenant to filter the vCenter data centers. "No-Filter" or "null" indicates, listing * all the vCenters in the system. "Not-Assigned" indicates, list all the vCenters with no * tenants assigned to it. * @prereq none * @brief List vCenter data centers * @return All the list of vCenter data centers. * @throws DatabaseException when a DB error occurs. */ @GET @Path("/{id}/vcenter-data-centers") @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) public VcenterDataCenterList getVcenterDataCenters( @PathParam("id") URI id, @QueryParam("tenant") URI tid) throws DatabaseException { Vcenter vcenter = queryObject(Vcenter.class, id, false); ArgValidator.checkEntity(vcenter, id, isIdEmbeddedInURL(id)); // check the user permissions for this tenant org verifyAuthorizedSystemOrTenantOrgUser( _permissionsHelper.convertToACLEntries(vcenter.getAcls())); URI tenantId; if (isSecurityAdmin() || isSystemAdmin()) { tenantId = tid; } else { if (shouldTenantAdminUseTenantParam(tid)) { tenantId = tid; } else { tenantId = URI.create(getUserFromContext().getTenantId()); } } _log.debug("Fetching the vCenterDataCenters for the tenant {}", tenantId); // get the vcenters VcenterDataCenterList list = new VcenterDataCenterList(); List<NamedElementQueryResultList.NamedElement> elements = listChildren(id, VcenterDataCenter.class, DATAOBJECT_NAME_FIELD, "vcenter"); // Filter the vCenterDataCenters based on the tenant. list.setDataCenters( map( ResourceTypeEnum.VCENTERDATACENTER, id, filterTenantResourcesByTenant(tenantId, VcenterDataCenter.class, elements))); return list; }
/** * List the clusters in a vCenter * * @param id the URN of a ViPR vCenter * @prereq none * @brief List vCenter clusters * @return The list of clusters of the vCenter. * @throws DatabaseException when a DB error occurs. */ @GET @Path("/{id}/clusters") @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) public ClusterList getVcenterClusters(@PathParam("id") URI id) throws DatabaseException { Vcenter vcenter = queryObject(Vcenter.class, id, false); ArgValidator.checkEntity(vcenter, id, isIdEmbeddedInURL(id)); // check the user permissions for this tenant org verifyAuthorizedInTenantOrg(_permissionsHelper.convertToACLEntries(vcenter.getAcls())); URI tenantId = URI.create(getUserFromContext().getTenantId()); List<NamedElementQueryResultList.NamedElement> vCentersDataCenters = filterTenantResourcesByTenant( tenantId, VcenterDataCenter.class, listChildren(id, VcenterDataCenter.class, DATAOBJECT_NAME_FIELD, "vcenter")); ClusterList list = new ClusterList(); Iterator<NamedElementQueryResultList.NamedElement> dataCentersIterator = vCentersDataCenters.iterator(); while (dataCentersIterator.hasNext()) { NamedElementQueryResultList.NamedElement dataCenterElement = dataCentersIterator.next(); list.getClusters() .addAll( map( ResourceTypeEnum.CLUSTER, listChildren( dataCenterElement.getId(), Cluster.class, DATAOBJECT_NAME_FIELD, "vcenterDataCenter"))); } return list; }