Gilad Chaplik has uploaded a new change for review.
Change subject: engine: quota was not enforced in run VM
......................................................................
engine: quota was not enforced in run VM
Since quota uses MLA model, each quota related action should
add permission checks for Consume_Quota action group on the
specified quota. this was not the case in run VM which override
the addQuotaPermissionSubject wrongfully.
The reason for that was that the user can create a VM from template
and select the template's quota. this quota should be available only if
the user has consumption rights for this quota.
Last issue is that when failing on no-permission of consume_quota, the
err message shouldn't be: 'the user isn't author...' but more suitable
one related to quota and consumption.
Change-Id: I053680e61b8f9a0557845d0b5359a022b6473052
Signed-off-by: Gilad Chaplik <gchap...@redhat.com>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java
M
backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java
M backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
M
frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
M
frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/VmModelBehaviorBase.java
M
frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
M
frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
8 files changed, 13 insertions(+), 8 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/94/19994/1
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
index 115eeed..0de9ade 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/CommandBase.java
@@ -1046,7 +1046,10 @@
for (QuotaConsumptionParameter parameter :
getQuotaConsumptionParameters()) {
if (parameter.getQuotaGuid() != null &&
!Guid.Empty.equals(parameter.getQuotaGuid())
&&
QuotaConsumptionParameter.QuotaAction.CONSUME.equals(parameter.getQuotaAction()))
{
- quotaPermissionList.add(new
PermissionSubject(parameter.getQuotaGuid(), VdcObjectType.Quota,
ActionGroup.CONSUME_QUOTA));
+ quotaPermissionList.add(new
PermissionSubject(parameter.getQuotaGuid(),
+ VdcObjectType.Quota,
+ ActionGroup.CONSUME_QUOTA,
+
VdcBllMessages.USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA));
}
}
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java
index 7281d79..03a351d 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/RunVmCommand.java
@@ -1051,10 +1051,6 @@
private static final Log log = LogFactory.getLog(RunVmCommand.class);
@Override
- public void addQuotaPermissionSubject(List<PermissionSubject>
quotaPermissionList) {
- }
-
- @Override
public List<QuotaConsumptionParameter> getQuotaVdsConsumptionParameters() {
List<QuotaConsumptionParameter> list = new
ArrayList<QuotaConsumptionParameter>();
diff --git
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java
index a888436..02b6782 100644
---
a/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java
+++
b/backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common/errors/VdcBllMessages.java
@@ -688,6 +688,7 @@
ACTION_TYPE_FAILED_QUOTA_IN_USE_BY_VM_OR_DISK(ErrorType.CONFLICT),
ACTION_TYPE_FAILED_QUOTA_STORAGE_LIMIT_EXCEEDED(ErrorType.CONFLICT),
ACTION_TYPE_FAILED_QUOTA_VDS_GROUP_LIMIT_EXCEEDED(ErrorType.CONFLICT),
+ USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA(ErrorType.NO_PERMISSION),
ACTION_TYPE_FAILED_NOT_A_VM_NETWORK(ErrorType.CONFLICT),
ACTION_TYPE_FAILED_NETWORK_NOT_IN_CLUSTER(ErrorType.CONFLICT),
ACTION_TYPE_FAILED_INTERFACE_NETWORK_NOT_CONFIGURED(ErrorType.BAD_PARAMETERS),
diff --git
a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
index 15bf359..b2dc004 100644
---
a/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
+++
b/backend/manager/modules/dal/src/main/resources/bundles/AppErrors.properties
@@ -789,7 +789,7 @@
ACTION_TYPE_FAILED_DATA_CENTER_MUST_HAVE_AT_LEAST_ONE_QUOTA=Cannot ${action}
${type}. Data Center must have at least one quota associated with it. Please
try to add another Quota, or change the existing one.
ACTION_TYPE_FAILED_QUOTA_STORAGE_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient storage resources.
ACTION_TYPE_FAILED_QUOTA_VDS_GROUP_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient cluster resources.
-
+USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA=Cannot ${action} ${type}. The user is not
a consumer to the Quota assign to the resource.
# Internal
USER_CANNOT_RUN_QUERY_NOT_PUBLIC=Permission denied. Query you try to run not
public.
diff --git
a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
index b9b5f61..3c9fa3f 100644
---
a/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
+++
b/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/AppErrors.java
@@ -2126,6 +2126,9 @@
@DefaultStringValue("Cannot ${action} ${type}. Quota has no sufficient
cluster resources.")
String ACTION_TYPE_FAILED_QUOTA_VDS_GROUP_LIMIT_EXCEEDED();
+ @DefaultStringValue("Cannot ${action} ${type}. The user is not a consumer
to the Quota assign to the resource.")
+ String USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA();
+
// Internal
@DefaultStringValue("Permission denied. Query you try to run not public.")
String USER_CANNOT_RUN_QUERY_NOT_PUBLIC();
diff --git
a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/VmModelBehaviorBase.java
b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/VmModelBehaviorBase.java
index 463c6ea..4970d76 100644
---
a/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/VmModelBehaviorBase.java
+++
b/frontend/webadmin/modules/uicommonweb/src/main/java/org/ovirt/engine/ui/uicommonweb/models/vms/VmModelBehaviorBase.java
@@ -626,7 +626,8 @@
break;
}
}
- if (!hasQuotaInList) {
+ // Add the quota to the list only in
edit mode
+ if (!hasQuotaInList &&
!getModel().getIsNew()) {
Quota quota = new Quota();
quota.setId(defaultQuota);
quota.setQuotaName(quotaName);
diff --git
a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
index 9bd462b..a5fdc15 100644
---
a/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
+++
b/frontend/webadmin/modules/userportal-gwtp/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
@@ -764,6 +764,7 @@
ACTION_TYPE_FAILED_DATA_CENTER_MUST_HAVE_AT_LEAST_ONE_QUOTA=Cannot ${action}
${type}. Data Center must have at least one quota associated with it. Please
try to add another Quota, or change the existing one.
ACTION_TYPE_FAILED_QUOTA_STORAGE_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient storage resources.
ACTION_TYPE_FAILED_QUOTA_VDS_GROUP_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient cluster resources.
+USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA=Cannot ${action} ${type}. The user is not
a consumer to the Quota assign to the resource.
# Internal
USER_CANNOT_RUN_QUERY_NOT_PUBLIC=Permission denied. Query you try to run not
public.
diff --git
a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
index 8994ff7..269bedb 100644
---
a/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
+++
b/frontend/webadmin/modules/webadmin/src/main/resources/org/ovirt/engine/ui/frontend/AppErrors.properties
@@ -789,7 +789,7 @@
ACTION_TYPE_FAILED_DATA_CENTER_MUST_HAVE_AT_LEAST_ONE_QUOTA=Cannot ${action}
${type}. Data Center must have at least one quota associated with it. Please
try to add another Quota, or change the existing one.
ACTION_TYPE_FAILED_QUOTA_STORAGE_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient storage resources.
ACTION_TYPE_FAILED_QUOTA_VDS_GROUP_LIMIT_EXCEEDED=Cannot ${action} ${type}.
Quota has no sufficient cluster resources.
-
+USER_NOT_AUTHORIZED_TO_CONSUME_QUOTA=Cannot ${action} ${type}. The user is not
a consumer to the Quota assign to the resource.
# Internal
USER_CANNOT_RUN_QUERY_NOT_PUBLIC=Permission denied. Query you try to run not
public.
--
To view, visit http://gerrit.ovirt.org/19994
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I053680e61b8f9a0557845d0b5359a022b6473052
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Gilad Chaplik <gchap...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
