/**
* Validates the individual list of acl entries. It is not valid acl entries list, when an acl
* entry contains more than one privilege or privileges other than USE and if the tenant provided
* in the acl entry is not a valid tenant org.
*
* @param aclEntries acl entries to be validated.
*/
private void validateAclEntries(List<ACLEntry> aclEntries) {
if (CollectionUtils.isEmpty(aclEntries)) {
return;
}
Iterator<ACLEntry> aclEntryIterator = aclEntries.iterator();
while (aclEntryIterator.hasNext()) {
ACLEntry aclEntry = aclEntryIterator.next();
// If more than one privileges provided the ACL Entry, it is not supported
// for vCenter ACL. Only USE ACL can be provided.
if (aclEntry.getAces().size() != 1) {
throw APIException.badRequests.unsupportedNumberOfPrivileges(
URI.create(aclEntry.getTenant()), aclEntry.getAces());
}
if (!aclEntry.getAces().get(0).equalsIgnoreCase(ACL.USE.name())) {
throw APIException.badRequests.unsupportedPrivilege(
URI.create(aclEntry.getTenant()), aclEntry.getAces().get(0));
}
// Validate if the provided tenant is a valid tenant or not.
URI tenantId = URI.create(aclEntry.getTenant());
TenantOrg tenant = queryObject(TenantOrg.class, tenantId, true);
ArgValidator.checkEntity(tenant, tenantId, isIdEmbeddedInURL(tenantId));
}
}
/**
* Adds the tenant to the vCenter acls if the tenant admin is creating it. This always sets the
* vCenter tenant (the old deprecated filed to null).
*
* @param tenant a valid tenant org if the tenant admin is creating it.
* @param vcenter the vCenter being created.
*/
private void addVcenterAclIfTenantAdmin(TenantOrg tenant, Vcenter vcenter) {
// Always set the deprecated tenant field of a vCenter to null.
vcenter.setTenant(NullColumnValueGetter.getNullURI());
if (isSystemAdmin()) {
return;
}
URI tenantId;
if (tenant != null) {
tenantId = tenant.getId();
} else {
// If the tenant org is not valid, try to use the
// user's tenant org.
tenantId = URI.create(getUserFromContext().getTenantId());
}
// If the User is an admin in the tenant org, allow the
// operation otherwise, report the insufficient permission
// exception.
if (_permissionsHelper.userHasGivenRole(getUserFromContext(), tenantId, Role.TENANT_ADMIN)) {
// Generate the acl entry and add to the vCenters acls.
String aclKey = _permissionsHelper.getTenantUsePermissionKey(tenantId.toString());
vcenter.addAcl(aclKey, ACL.USE.name());
_log.debug("Adding {} to the vCenter {} acls", aclKey, vcenter.getLabel());
}
}
