@Override public boolean apply(Allocation allocInfo) throws MetadataException { if (allocInfo.getRequest().getKeyName() == null || "".equals(allocInfo.getRequest().getKeyName())) { if (ImageMetadata.Platform.windows.equals( allocInfo.getBootSet().getMachine().getPlatform())) { throw new InvalidMetadataException( "You must specify a keypair when running a windows vm: " + allocInfo.getRequest().getImageId()); } else { allocInfo.setSshKeyPair(KeyPairs.noKey()); return true; } } Context ctx = allocInfo.getContext(); RunInstancesType request = allocInfo.getRequest(); String keyName = request.getKeyName(); SshKeyPair key = KeyPairs.lookup(ctx.getUserFullName().asAccountFullName(), keyName); if (!ctx.hasAdministrativePrivileges() && !RestrictedTypes.filterPrivileged().apply(key)) { throw new IllegalMetadataAccessException( "Not authorized to use keypair " + keyName + " by " + ctx.getUser().getName()); } allocInfo.setSshKeyPair(key); return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { Context ctx = allocInfo.getContext(); NetworkGroups.lookup( ctx.getUserFullName().asAccountFullName(), NetworkGroups.defaultNetworkName()); Set<String> networkNames = Sets.newHashSet(allocInfo.getRequest().getGroupSet()); if (networkNames.isEmpty()) { networkNames.add(NetworkGroups.defaultNetworkName()); } Map<String, NetworkGroup> networkRuleGroups = Maps.newHashMap(); for (String groupName : networkNames) { NetworkGroup group = NetworkGroups.lookup(ctx.getUserFullName().asAccountFullName(), groupName); if (!ctx.hasAdministrativePrivileges() && !RestrictedTypes.filterPrivileged().apply(group)) { throw new IllegalMetadataAccessException( "Not authorized to use network group " + groupName + " for " + ctx.getUser().getName()); } networkRuleGroups.put(groupName, group); } Set<String> missingNets = Sets.difference(networkNames, networkRuleGroups.keySet()); if (!missingNets.isEmpty()) { throw new NoSuchMetadataException("Failed to find security group info for: " + missingNets); } else { allocInfo.setNetworkRules(networkRuleGroups); } return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { if (allocInfo.getRequest().getKeyName() == null || "".equals(allocInfo.getRequest().getKeyName())) { allocInfo.setSshKeyPair(KeyPairs.noKey()); return true; } UserFullName ownerFullName = allocInfo.getOwnerFullName(); RunInstancesType request = allocInfo.getRequest(); String keyName = request.getKeyName(); SshKeyPair key = KeyPairs.lookup(ownerFullName.asAccountFullName(), keyName); if (!RestrictedTypes.filterPrivileged().apply(key)) { throw new IllegalMetadataAccessException( "Not authorized to use keypair " + keyName + " by " + ownerFullName.getUserName()); } allocInfo.setSshKeyPair(key); return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException, AuthException, VerificationException { RunInstancesType msg = allocInfo.getRequest(); String imageId = msg.getImageId(); VmType vmType = allocInfo.getVmType(); try { BootableSet bootSet = Emis.newBootableSet(imageId); allocInfo.setBootableSet(bootSet); // Add (1024L * 1024L * 10) to handle NTFS min requirements. if (!bootSet.isBlockStorage()) { if (Platform.windows.equals(bootSet.getMachine().getPlatform()) && bootSet.getMachine().getImageSizeBytes() > ((1024L * 1024L * 1024L * vmType.getDisk()) + (1024L * 1024L * 10))) { throw new ImageInstanceTypeVerificationException( "Unable to run instance " + bootSet.getMachine().getDisplayName() + " in which the size " + bootSet.getMachine().getImageSizeBytes() + " bytes of the instance is greater than the vmType " + vmType.getDisplayName() + " size " + vmType.getDisk() + " GB."); } else if (bootSet.getMachine().getImageSizeBytes() > ((1024L * 1024L * 1024L * vmType.getDisk()))) { throw new ImageInstanceTypeVerificationException( "Unable to run instance " + bootSet.getMachine().getDisplayName() + " in which the size " + bootSet.getMachine().getImageSizeBytes() + " bytes of the instance is greater than the vmType " + vmType.getDisplayName() + " size " + vmType.getDisk() + " GB."); } } } catch (VerificationException e) { throw e; } catch (MetadataException ex) { LOG.error(ex); throw ex; } catch (RuntimeException ex) { LOG.error(ex); throw new VerificationException( "Failed to verify references for request: " + msg.toSimpleString() + " because of: " + ex.getMessage(), ex); } return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { Context ctx = allocInfo.getContext(); User user = ctx.getUser(); String instanceType = allocInfo.getRequest().getInstanceType(); VmType vmType = VmTypes.lookup(instanceType); if (!ctx.hasAdministrativePrivileges() && !RestrictedTypes.filterPrivileged().apply(vmType)) { throw new IllegalMetadataAccessException( "Not authorized to allocate vm type " + instanceType + " for " + ctx.getUserFullName()); } allocInfo.setVmType(vmType); return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { String instanceType = allocInfo.getRequest().getInstanceType(); VmType vmType = VmTypes.lookup(instanceType); if (!RestrictedTypes.filterPrivileged().apply(vmType)) { throw new IllegalMetadataAccessException( "Not authorized to allocate vm type " + instanceType + " for " + allocInfo.getOwnerFullName()); } allocInfo.setVmType(vmType); return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { RunInstancesType request = allocInfo.getRequest(); String zoneName = request.getAvailabilityZone(); if (Clusters.getInstance().listValues().isEmpty()) { LOG.debug("enabled values: " + Joiner.on("\n").join(Clusters.getInstance().listValues())); LOG.debug("disabled values: " + Joiner.on("\n").join(Clusters.getInstance().listValues())); throw new VerificationException( "Not enough resources: no cluster controller is currently available to run instances."); } else if (Partitions.exists(zoneName)) { Partition partition = Partitions.lookupByName(zoneName); allocInfo.setPartition(partition); } else if (Partition.DEFAULT_NAME.equals(zoneName)) { Partition partition = Partition.DEFAULT; allocInfo.setPartition(partition); } else { throw new VerificationException( "Not enough resources: no cluster controller is currently available to run instances."); } return true; }
@Override public boolean apply(Allocation allocInfo) throws MetadataException { BootableImageInfo imageInfo = allocInfo.getBootSet().getMachine(); final ArrayList<BlockDeviceMappingItemType> instanceMappings = allocInfo.getRequest().getBlockDeviceMapping() != null ? allocInfo.getRequest().getBlockDeviceMapping() : new ArrayList<BlockDeviceMappingItemType>(); List<DeviceMapping> imageMappings = new ArrayList<DeviceMapping>(((ImageInfo) imageInfo).getDeviceMappings()); // Figure out the final set of mappings for this instance and add it to the request before // verifying the mappings. // for ( DeviceMapping imageMapping : imageMappings ) { // if( !Iterables.any( instanceMappings, Images.findBlockDeviceMappingItempType( // imageMapping.getDeviceName() ) ) ) { // instanceMappings.add(Images.DeviceMappingDetails.INSTANCE.apply(imageMapping)); // } // } // Is this an overkill?? Should I rather go with the above logic. Damn complexity seems // same... // probably m * n where m is the number of image mappings and n is the number of instance // mappings instanceMappings.addAll( Lists.transform( Lists.newArrayList( Iterables.filter( imageMappings, new Predicate<DeviceMapping>() { @Override public boolean apply(DeviceMapping arg0) { return !Iterables.any( instanceMappings, Images.findBlockDeviceMappingItempType(arg0.getDeviceName())); } })), Images.DeviceMappingDetails.INSTANCE)); if (imageInfo instanceof BlockStorageImageInfo) { // bfebs image if (!instanceMappings.isEmpty()) { // Verify all block device mappings. Dont fuss if both snapshot id and volume size are // left blank Images.isDeviceMappingListValid(instanceMappings, Boolean.TRUE, Boolean.TRUE); BlockStorageImageInfo bfebsImage = (BlockStorageImageInfo) imageInfo; Integer imageSizeGB = (int) (bfebsImage.getImageSizeBytes() / BYTES_PER_GB); Integer userRequestedSizeGB = null; // Find the root block device mapping in the run instance request. Validate it BlockDeviceMappingItemType rootBlockDevice = Iterables.find( instanceMappings, Images.findEbsRootOptionalSnapshot(bfebsImage.getRootDeviceName()), null); if (rootBlockDevice != null) { // Ensure that root device is not mapped to a different snapshot, logical device or // suppressed. // Verify that the root device size is not smaller than the image size if (StringUtils.isNotBlank(rootBlockDevice.getEbs().getSnapshotId()) && !StringUtils.equals( rootBlockDevice.getEbs().getSnapshotId(), bfebsImage.getSnapshotId())) { throw new InvalidMetadataException( "Snapshot ID cannot be modified for the root device. " + "Source snapshot from the image registration will be used for creating the root device"); } else if (StringUtils.isNotBlank(rootBlockDevice.getVirtualName())) { throw new InvalidMetadataException( "Logical type cannot be modified for the root device. " + "Source snapshot from the image registration will be used for creating the root device"); } else if (rootBlockDevice.getNoDevice() != null && rootBlockDevice.getNoDevice()) { throw new InvalidMetadataException( "Root device cannot be suppressed. " + "Source snapshot from the image registration will be used for creating the root device"); } else if ((userRequestedSizeGB = rootBlockDevice.getEbs().getVolumeSize()) != null && userRequestedSizeGB < imageSizeGB) { throw new InvalidMetadataException( "Root device volume cannot be smaller than the image size"); } // Gather all the information for the root device mapping and populate it in the run // instance request if (rootBlockDevice.getEbs().getSnapshotId() == null) { rootBlockDevice.getEbs().setSnapshotId(bfebsImage.getSnapshotId()); } if (rootBlockDevice.getEbs().getVolumeSize() == null) { rootBlockDevice.getEbs().setVolumeSize(imageSizeGB); } if (rootBlockDevice.getEbs().getDeleteOnTermination() == null) { rootBlockDevice.getEbs().setDeleteOnTermination(bfebsImage.getDeleteOnTerminate()); } } else { // This should never happen. Root device mapping will always exist in the block storage // image and or run instance request throw new InvalidMetadataException("Root block device mapping not found\n"); } } } else { // Instance store image // Verify all block device mappings. EBS mappings must be considered invalid since AWS // doesn't support it Images.isDeviceMappingListValid(instanceMappings, Boolean.TRUE, Boolean.FALSE); } // Set the final list of block device mappings in the run instance request (necessary if the // instance mappings were null). Checked with grze that its okay allocInfo.getRequest().setBlockDeviceMapping(instanceMappings); return true; }
@Override public boolean apply(final Allocation allocInfo) throws MetadataException { final UserFullName ownerFullName = allocInfo.getOwnerFullName(); final String instanceProfileArn = allocInfo.getRequest().getIamInstanceProfileArn(); final String instanceProfileName = allocInfo.getRequest().getIamInstanceProfileName(); if (!Strings.isNullOrEmpty(instanceProfileArn) || !Strings.isNullOrEmpty(instanceProfileName)) { final String profileAccount; final String profileName; if (!Strings.isNullOrEmpty(instanceProfileArn)) try { final Ern name = Ern.parse(instanceProfileArn); if (!(name instanceof EuareResourceName)) { throw new InvalidInstanceProfileMetadataException( "Invalid IAM instance profile ARN: " + instanceProfileArn); } profileAccount = name.getAccount(); profileName = ((EuareResourceName) name).getName(); } catch (JSONException e) { throw new InvalidInstanceProfileMetadataException( "Invalid IAM instance profile ARN: " + instanceProfileArn, e); } else { profileAccount = ownerFullName.getAccountNumber(); profileName = instanceProfileName; } final InstanceProfile profile; try { profile = Accounts.lookupInstanceProfileByName(profileAccount, profileName); } catch (AuthException e) { throw new InvalidInstanceProfileMetadataException( "Invalid IAM instance profile: " + profileAccount + "/" + profileName, e); } if (!Strings.isNullOrEmpty(instanceProfileName) && !instanceProfileName.equals(profile.getName())) { throw new InvalidInstanceProfileMetadataException( String.format( "Invalid IAM instance profile name '%s' for ARN: %s", profileName, instanceProfileArn)); } try { final AuthContextSupplier user = allocInfo.getAuthContext(); if (!Permissions.isAuthorized( PolicySpec.VENDOR_IAM, PolicySpec.IAM_RESOURCE_INSTANCE_PROFILE, Accounts.getInstanceProfileFullName(profile), AccountFullName.getInstance(profile.getAccountNumber()), PolicySpec.IAM_LISTINSTANCEPROFILES, user)) { throw new IllegalMetadataAccessException( String.format( "Not authorized to access instance profile with ARN %s for %s", profile.getInstanceProfileArn(), ownerFullName)); } final Role role = profile.getRole(); if (role != null && !Permissions.isAuthorized( PolicySpec.VENDOR_IAM, PolicySpec.IAM_RESOURCE_ROLE, Accounts.getRoleFullName(role), AccountFullName.getInstance(role.getAccountNumber()), PolicySpec.IAM_PASSROLE, user)) { throw new IllegalMetadataAccessException( String.format( "Not authorized to pass role with ARN %s for %s", role.getRoleArn(), ownerFullName)); } if (role != null) { allocInfo.setInstanceProfileArn(profile.getInstanceProfileArn()); allocInfo.setIamInstanceProfileId(profile.getInstanceProfileId()); allocInfo.setIamRoleArn(role.getRoleArn()); } else { throw new InvalidInstanceProfileMetadataException( "Role not found for IAM instance profile ARN: " + profile.getInstanceProfileArn()); } } catch (AuthException e) { throw new MetadataException("IAM instance profile error", e); } } return true; }