|
50 | 50 | import javax.inject.Inject; |
51 | 51 | import javax.naming.ConfigurationException; |
52 | 52 |
|
| 53 | +import com.cloud.user.AccountManagerImpl; |
| 54 | +import org.apache.cloudstack.acl.RoleType; |
53 | 55 | import org.apache.cloudstack.acl.SecurityChecker; |
54 | 56 | import org.apache.cloudstack.affinity.AffinityGroup; |
55 | 57 | import org.apache.cloudstack.affinity.AffinityGroupService; |
@@ -481,6 +483,7 @@ public class ConfigurationManagerImpl extends ManagerBase implements Configurati |
481 | 483 | private long _defaultPageSize = Long.parseLong(Config.DefaultPageSize.getDefaultValue()); |
482 | 484 | private static final String DOMAIN_NAME_PATTERN = "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{1,63}$"; |
483 | 485 | private Set<String> configValuesForValidation = new HashSet<>(); |
| 486 | + private Set<String> configKeysAllowedOnlyForDefaultAdmin = new HashSet<>(); |
484 | 487 | private Set<String> weightBasedParametersForValidation = new HashSet<>(); |
485 | 488 | private Set<String> overprovisioningFactorsForValidation = new HashSet<>(); |
486 | 489 |
|
@@ -545,6 +548,7 @@ public boolean configure(final String name, final Map<String, Object> params) th |
545 | 548 | populateConfigValuesForValidationSet(); |
546 | 549 | weightBasedParametersForValidation(); |
547 | 550 | overProvisioningFactorsForValidation(); |
| 551 | + populateConfigKeysAllowedOnlyForDefaultAdmin(); |
548 | 552 | initMessageBusListener(); |
549 | 553 | return true; |
550 | 554 | } |
@@ -609,6 +613,11 @@ protected void overProvisioningFactorsForValidation() { |
609 | 613 | overprovisioningFactorsForValidation.add(CapacityManager.StorageOverprovisioningFactor.key()); |
610 | 614 | } |
611 | 615 |
|
| 616 | + protected void populateConfigKeysAllowedOnlyForDefaultAdmin() { |
| 617 | + configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key()); |
| 618 | + configKeysAllowedOnlyForDefaultAdmin.add(AccountManagerImpl.allowOperationsOnUsersInSameAccount.key()); |
| 619 | + } |
| 620 | + |
612 | 621 | private void initMessageBusListener() { |
613 | 622 | messageBus.subscribe(EventTypes.EVENT_CONFIGURATION_VALUE_EDIT, new MessageSubscriber() { |
614 | 623 | @Override |
@@ -1221,6 +1230,7 @@ protected String validateConfigurationValue(String name, String value, String sc |
1221 | 1230 | logger.error("Missing configuration variable " + name + " in configuration table"); |
1222 | 1231 | return "Invalid configuration variable."; |
1223 | 1232 | } |
| 1233 | + validateConfigurationAllowedOnlyForDefaultAdmin(name, value); |
1224 | 1234 |
|
1225 | 1235 | String configScope = cfg.getScope(); |
1226 | 1236 | if (scope != null) { |
@@ -1255,6 +1265,33 @@ protected String validateConfigurationValue(String name, String value, String sc |
1255 | 1265 | return validateValueRange(name, value, type, configuration); |
1256 | 1266 | } |
1257 | 1267 |
|
| 1268 | + protected void validateConfigurationAllowedOnlyForDefaultAdmin(String configName, String value) { |
| 1269 | + if (configKeysAllowedOnlyForDefaultAdmin.contains(configName)) { |
| 1270 | + final Long userId = CallContext.current().getCallingUserId(); |
| 1271 | + if (userId != User.UID_ADMIN) { |
| 1272 | + throw new CloudRuntimeException("Only default admin is allowed to change this setting"); |
| 1273 | + } |
| 1274 | + |
| 1275 | + if (AccountManagerImpl.listOfRoleTypesAllowedForOperationsOfSameRoleType.key().equals(configName)) { |
| 1276 | + if (value != null && !value.isBlank()) { |
| 1277 | + List<String> validRoleTypes = Arrays.stream(RoleType.values()) |
| 1278 | + .map(Enum::name) |
| 1279 | + .collect(Collectors.toList()); |
| 1280 | + |
| 1281 | + boolean allValid = Arrays.stream(value.split(",")) |
| 1282 | + .map(String::trim) |
| 1283 | + .allMatch(validRoleTypes::contains); |
| 1284 | + |
| 1285 | + if (!allValid) { |
| 1286 | + throw new CloudRuntimeException("Invalid role types provided in value"); |
| 1287 | + } |
| 1288 | + } else { |
| 1289 | + throw new CloudRuntimeException("Value for role types must not be empty"); |
| 1290 | + } |
| 1291 | + } |
| 1292 | + } |
| 1293 | + } |
| 1294 | + |
1258 | 1295 | /** |
1259 | 1296 | * Returns whether a value is valid for a configuration of the provided type. |
1260 | 1297 | * Valid configuration values are: |
|
0 commit comments