/** * Validates the acl assignment changes. It is not valid acl assignment change, when an acl entry * contains more than one privilege or privileges other than USE if the tenant provided in the acl * entry is not a valid tenant org. * * @param changes acl assignment changes to validated. */ private void validateAclAssignments(ACLAssignmentChanges changes) { if (changes == null) { throw APIException.badRequests.requiredParameterMissingOrEmpty("ACLAssignmentChanges"); } // Make sure at least one acl entry either in the add or remove // list. if (CollectionUtils.isEmpty(changes.getAdd()) && CollectionUtils.isEmpty(changes.getRemove())) { throw APIException.badRequests.requiredParameterMissingOrEmpty("ACLAssignmentChanges"); } validateAclEntries(changes.getAdd()); validateAclEntries(changes.getRemove()); }
/** * Check if the vCenter being updated is used by any of its vCenterDataCenters or clusters or * hosts or not. This validates only with respect to the tenant that is being removed from the * vCenter acls. If the tenant that is getting removed teh vCenter has any exports with the * vCenter's vCenterDataCenter or its clusters or hosts. * * @param vcenter the vCenter being updated. * @param changes new acl assignment changes for the vCenter. */ private void checkVcenterUsage(Vcenter vcenter, ACLAssignmentChanges changes) { // Make a copy of the vCenter's existing tenant list. List<ACLEntry> existingAclEntries = _permissionsHelper.convertToACLEntries(vcenter.getAcls()); if (CollectionUtils.isEmpty(existingAclEntries)) { // If there no existing acl entries for the vCenter // there is nothing to validate if it is in user or not. _log.debug("vCenter {} does not have any existing acls", vcenter.getLabel()); return; } // If there are no tenants to be removed from the vCenter acls, // there is nothing to check for usage. if (CollectionUtils.isEmpty(changes.getRemove())) { _log.debug("There are not acls to remove from vCenter {}", vcenter.getLabel()); return; } Set<String> tenantsInUse = new HashSet<String>(); Set<URI> removingTenants = _permissionsHelper.getUsageURIsFromAclEntries(changes.getRemove()); Set<URI> existingTenants = _permissionsHelper.getUsageURIsFromAclEntries(existingAclEntries); Iterator<URI> removingTenantsIterator = removingTenants.iterator(); while (removingTenantsIterator.hasNext()) { URI removingTenant = removingTenantsIterator.next(); if (!existingTenants.contains(removingTenant)) { continue; } // Check if vCenter is in use for the removing tenant or not. // This checks for all the datacenters of this vcenter that belong to the // removing tenant and finds if the datacenter or it clusters or hosts // use the exports from the removing tenant or not. if (ComputeSystemHelper.isVcenterInUseForTheTenant( _dbClient, vcenter.getId(), removingTenant)) { TenantOrg tenant = _dbClient.queryObject(TenantOrg.class, removingTenant); tenantsInUse.add(tenant.getLabel()); } } if (!CollectionUtils.isEmpty(tenantsInUse)) { throw APIException.badRequests.cannotRemoveTenant("vCener", vcenter.getLabel(), tenantsInUse); } }