Allow domain admin to change domain and account settings

Author: davidjumani

api/src/main/java/org/apache/cloudstack/query/QueryService.java

@@ -96,6 +96,9 @@ public interface QueryService {
             "user.vm.denied.details", "rootdisksize, cpuOvercommitRatio, memoryOvercommitRatio, Message.ReservedCapacityFreed.Flag",
             "Determines whether users can view certain VM settings. When set to empty, default value used is: rootdisksize, cpuOvercommitRatio, memoryOvercommitRatio, Message.ReservedCapacityFreed.Flag.", true);
 
+    static final ConfigKey<String> DomainAdminAllowListedConfigurations = new ConfigKey<String>("Advanced", String.class,
+            "domain.admin.allowlisted.config", "", "Determines which domain and account level configurations the domain admin is able to change", true);
+
     static final ConfigKey<String> UserVMReadOnlyDetails = new ConfigKey<String>("Advanced", String.class,
             "user.vm.readonly.details", "dataDiskController, rootDiskController",
             "List of read-only VM settings/details as comma separated string", true);

server/src/main/java/com/cloud/api/query/QueryManagerImpl.java

@@ -4150,6 +4150,6 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {AllowUserViewDestroyedVM, UserVMDeniedDetails, UserVMReadOnlyDetails, SortKeyAscending, AllowUserViewAllDomainAccounts};
+        return new ConfigKey<?>[] {AllowUserViewDestroyedVM, UserVMDeniedDetails, UserVMReadOnlyDetails, SortKeyAscending, AllowUserViewAllDomainAccounts, DomainAdminAllowListedConfigurations};
     }
 }

server/src/main/java/com/cloud/configuration/ConfigurationManagerImpl.java

@@ -33,6 +33,8 @@
 import java.util.ListIterator;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import java.util.Set;
 import java.util.UUID;
 
@@ -87,6 +89,7 @@
 import org.apache.cloudstack.framework.messagebus.MessageBus;
 import org.apache.cloudstack.framework.messagebus.MessageSubscriber;
 import org.apache.cloudstack.framework.messagebus.PublishScope;
+import org.apache.cloudstack.query.QueryService;
 import org.apache.cloudstack.region.PortableIp;
 import org.apache.cloudstack.region.PortableIpDao;
 import org.apache.cloudstack.region.PortableIpRange;
@@ -770,6 +773,20 @@ public Configuration updateConfiguration(final UpdateCfgCmd cmd) throws InvalidP
         final ConfigurationVO config = _configDao.findByName(name);
         String catergory = null;
 
+        final Account caller = CallContext.current().getCallingAccount();
+        if (_accountMgr.isDomainAdmin(caller.getId())) {
+            if (domainId == null) {
+                throw new PermissionDeniedException("Domain admins can change only domain level configuration");
+            }
+
+            final List<String> domainAdminWhitelistConfigs = Stream.of(QueryService.DomainAdminAllowListedConfigurations.value().split(","))
+                    .map(item -> (item).trim())
+                    .collect(Collectors.toList());
+            if (!domainAdminWhitelistConfigs.contains(name)) {
+                throw new PermissionDeniedException("Domain admins can not change this configuration");
+            }
+        }
+
         // FIX ME - All configuration parameters are not moved from config.java to configKey
         if (config == null) {
             if (_configDepot.get(name) == null) {
@@ -806,11 +823,14 @@ public Configuration updateConfiguration(final UpdateCfgCmd cmd) throws InvalidP
             paramCountCheck++;
         }
         if (accountId != null) {
+            Account account = _accountMgr.getAccount(accountId);
+            _accountMgr.checkAccess(caller, _domainDao.findById(account.getDomainId()));
             scope = ConfigKey.Scope.Account.toString();
             id = accountId;
             paramCountCheck++;
         }
         if (domainId != null) {
+            _accountMgr.checkAccess(caller, _domainDao.findById(domainId));
             scope = ConfigKey.Scope.Domain.toString();
             id = domainId;
             paramCountCheck++;

server/src/main/java/com/cloud/server/ManagementServerImpl.java

@@ -36,8 +36,8 @@
 import java.util.concurrent.TimeUnit;
 import java.util.function.Predicate;
 
-
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
@@ -1953,6 +1953,11 @@ public Pair<List<? extends Configuration>, Integer> searchForConfigurations(fina
         Long id = null;
         int paramCountCheck = 0;
 
+        final Account caller = CallContext.current().getCallingAccount();
+        if (_accountMgr.isDomainAdmin(caller.getId()) && domainId == null) {
+            throw new PermissionDeniedException("Domain admin can change only domain level settings");
+        }
+
         if (zoneId != null) {
             scope = ConfigKey.Scope.Zone.toString();
             id = zoneId;
@@ -1964,11 +1969,14 @@ public Pair<List<? extends Configuration>, Integer> searchForConfigurations(fina
             paramCountCheck++;
         }
         if (accountId != null) {
+            Account account = _accountMgr.getAccount(accountId);
+            _accountMgr.checkAccess(caller, _domainDao.findById(account.getDomainId()));
             scope = ConfigKey.Scope.Account.toString();
             id = accountId;
             paramCountCheck++;
         }
         if (domainId != null) {
+            _accountMgr.checkAccess(caller, _domainDao.findById(domainId));
             scope = ConfigKey.Scope.Domain.toString();
             id = domainId;
             paramCountCheck++;
@@ -2018,10 +2026,21 @@ public Pair<List<? extends Configuration>, Integer> searchForConfigurations(fina
 
         final Pair<List<ConfigurationVO>, Integer> result = _configDao.searchAndCount(sc, searchFilter);
 
+        List<ConfigurationVO> configs = result.first();
+
+        if (_accountMgr.isDomainAdmin(caller.getId())) {
+            final List<String> domainAdminWhitelistConfigs = Stream.of(QueryService.DomainAdminAllowListedConfigurations.value().split(","))
+                .map(item -> (item).trim())
+                .collect(Collectors.toList());
+            configs = configs.stream()
+                .filter(item -> domainAdminWhitelistConfigs.contains(item.getName()))
+                .collect(Collectors.toList());
+        }
+
         if (scope != null && !scope.isEmpty()) {
             // Populate values corresponding the resource id
             final List<ConfigurationVO> configVOList = new ArrayList<ConfigurationVO>();
-            for (final ConfigurationVO param : result.first()) {
+            for (final ConfigurationVO param : configs) {
                 final ConfigurationVO configVo = _configDao.findByName(param.getName());
                 if (configVo != null) {
                     final ConfigKey<?> key = _configDepot.get(param.getName());
@@ -2039,7 +2058,7 @@ public Pair<List<? extends Configuration>, Integer> searchForConfigurations(fina
             return new Pair<List<? extends Configuration>, Integer>(configVOList, configVOList.size());
         }
 
-        return new Pair<List<? extends Configuration>, Integer>(result.first(), result.second());
+        return new Pair<List<? extends Configuration>, Integer>(configs, result.second());
     }
 
     @Override