Versions Compared

Old Version 66

changes.mady.by.user Min Chen

Saved on

compared with

New Version 67

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
@APICommand(name = "startVirtualMachine", responseObject = UserVmResponse.class, description = "Starts a virtual machine.")
public class StartVMCmd extends BaseAsyncCmd {
    public static final Logger s_logger = Logger.getLogger(StartVMCmd.class.getName());

    private static final String s_name = "startvirtualmachineresponse";

    // ///////////////////////////////////////////////////
    // ////////////// API parameters /////////////////////
    // ///////////////////////////////////////////////////

    *@ACL(action="startVirtualMachine")*
    @Parameter(name = ApiConstants.ID, type = CommandType.UUID, entityType=UserVmResponse.class,
            required = true, description = "The ID of the virtual machine")
    private Long id;

...

The APIlayer will call the APICheckers to see if the user is allowed to invoke this API. The PolicyBasedAccessChecker :: checkAccess(user, apiName) will check following:just return true and rely on next step

Entity Access Check

The @ACL annotation invokes the SecurityChecker implementation. The PolicyBasedAccessChecker:: checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) is invoked for the given user account and VM Id for action 'startVirtualMachine'

  • Find all groups the user belongs too: groupIDs = 1
  • Find all 'Effective' policies the groups are associated to: policies = 1, 6
  • If any policy 'Allows' the startVirtualMachine API for this Vm Id, grant permission to make this call: Policy Id 6 and Permission Id 3 allow the API to be invoked for this user.

Entity Access Check

The @ACL annotation invokes the SecurityChecker implementation. The PolicyBasedAccessChecker:: checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) is invoked for the given user account and VM Id for action 'startVirtualMachine'

  • In this case, since this is a regular user and the user is the owner of the VM, then he is granted access using policy Id 6.

A Domain Admin 'domainAdmin' calls this command for a VM in his domain:

Entity Access Check

  • Find all groups the user belongs too: groupIDs = 3
  • Find all 'Effective' policies the groups are associated to: policies = 3
  • Policy Id 3 and Permission Id 2 allow 'startVirtualMachine' access for VMs in the 'Domain' scope - VMs in the domainId of the userThe PolicyBasedAccessChecker allows the 'startVirtualMachine' access to this VM Id if any of the account's policy allows it for this VM.
  • In this case, since this is a regular user and the user is the owner of the VM, then the VM is in the domain of the user, he is granted access using policy Id 63.

A Root Admin 'admin' calls this command for any:

Entity Access Check

  • Find all groups the user belongs too: groupIDs = 2
  • Find all 'Effective' policies the groups are associated to: policies = 2
  • Policy Id 3 and Permission Id 1 allow 'startVirtualMachine' access for ALL VMs .