From 8614ca8a9479930a95dcf8dcd36c78f44513a079 Mon Sep 17 00:00:00 2001 From: Suresh Kumar Anaparti Date: Tue, 1 Mar 2022 12:39:00 +0530 Subject: [PATCH 1/3] Check the network access when deploying VM in Advanced Security Group. --- server/src/main/java/com/cloud/vm/UserVmManagerImpl.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java index 58ea4e9175ed..bfc242c46338 100644 --- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java @@ -3533,6 +3533,8 @@ public UserVm createAdvancedSecurityGroupVirtualMachine(DataCenter zone, Service throw new InvalidParameterValueException("Network is not security group enabled: " + network.getId()); } + _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network); + networkList.add(network); } isSecurityGroupEnabledNetworkUsed = true; @@ -3556,9 +3558,8 @@ public UserVm createAdvancedSecurityGroupVirtualMachine(DataCenter zone, Service } // Perform account permission check - if (network.getAclType() == ACLType.Account) { - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); - } + _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network); + networkList.add(network); } } From 68370cc23aaccd314b1b9ea15576e5a2d36415b8 Mon Sep 17 00:00:00 2001 From: Suresh Kumar Anaparti Date: Tue, 1 Mar 2022 15:41:09 +0530 Subject: [PATCH 2/3] Removed comment --- server/src/main/java/com/cloud/vm/UserVmManagerImpl.java | 1 - 1 file changed, 1 deletion(-) diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java index bfc242c46338..41e57d9827a5 100644 --- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java @@ -3557,7 +3557,6 @@ public UserVm createAdvancedSecurityGroupVirtualMachine(DataCenter zone, Service throw new InvalidParameterValueException("Can specify only Shared Guest networks when" + " deploy vm in Advance Security Group enabled zone"); } - // Perform account permission check _accountMgr.checkAccess(owner, AccessType.UseEntry, false, network); networkList.add(network); From fec436bfb735d41690fce419623819f1354fd26b Mon Sep 17 00:00:00 2001 From: Suresh Kumar Anaparti Date: Wed, 2 Mar 2022 16:15:00 +0530 Subject: [PATCH 3/3] Removed redundant network access check, owner access check already exists --- server/src/main/java/com/cloud/vm/UserVmManagerImpl.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java index 41e57d9827a5..44cc2dd448cb 100644 --- a/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java +++ b/server/src/main/java/com/cloud/vm/UserVmManagerImpl.java @@ -1409,9 +1409,6 @@ public UserVm addNicToVirtualMachine(AddNicToVMCmd cmd) throws InvalidParameterV throw new CloudRuntimeException("Zone " + vmInstance.getDataCenterId() + ", has a NetworkType of Basic. Can't add a new NIC to a VM on a Basic Network"); } - // Perform account permission check on network - _accountMgr.checkAccess(caller, AccessType.UseEntry, false, network); - //ensure network belongs in zone if (network.getDataCenterId() != vmInstance.getDataCenterId()) { throw new CloudRuntimeException(vmInstance + " is in zone:" + vmInstance.getDataCenterId() + " but " + network + " is in zone:" + network.getDataCenterId());