server: allow user to list available IPs on shared networks #7898
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2323,6 +2323,7 @@ public Pair<List<? extends IpAddress>, Integer> searchForIPAddresses(final ListP | |
| isAllocated = Boolean.TRUE; | ||
| } | ||
| } | ||
| boolean isAllocatedTemp = isAllocated; | ||
|
|
||
| VlanType vlanType = null; | ||
| if (forVirtualNetwork != null) { | ||
|
|
@@ -2333,6 +2334,7 @@ public Pair<List<? extends IpAddress>, Integer> searchForIPAddresses(final ListP | |
|
|
||
| final Account caller = getCaller(); | ||
| List<IPAddressVO> addrs = new ArrayList<>(); | ||
| NetworkVO network = null; // shared network | ||
|
|
||
| if (vlanType == VlanType.DirectAttached && networkId == null && ipId == null) { // only root admin can list public ips in all shared networks | ||
| if (caller.getType() != Account.Type.ADMIN) { | ||
|
|
@@ -2341,7 +2343,6 @@ public Pair<List<? extends IpAddress>, Integer> searchForIPAddresses(final ListP | |
| } else if (vlanType == VlanType.DirectAttached) { | ||
| // list public ip address on shared network | ||
| // access control. admin: all Ips, domain admin/user: all Ips in shared network in the domain/sub-domain/user | ||
| if (networkId == null) { | ||
| IPAddressVO ip = _publicIpAddressDao.findById(ipId); | ||
| if (ip == null) { | ||
|
|
@@ -2475,7 +2476,20 @@ public Pair<List<? extends IpAddress>, Integer> searchForIPAddresses(final ListP | |
| for (IPAddressVO addr: freeAddrs) { | ||
| freeAddrIds.add(addr.getId()); | ||
| } | ||
| } else if (vlanType == VlanType.DirectAttached && network != null && !isAllocatedTemp && isAllocated) { | ||
| if (caller.getType() != Account.Type.ADMIN && !IpAddressManager.AllowUserListAvailableIpsOnSharedNetwork.value()) { | ||
| s_logger.debug("Non-admin users are not allowed to list available IPs on shared networks"); | ||
| } else { | ||
| final SearchBuilder<IPAddressVO> searchBuilder = _publicIpAddressDao.createSearchBuilder(); | ||
| buildParameters(searchBuilder, cmd, false); | ||
|
|
||
| SearchCriteria<IPAddressVO> searchCriteria = searchBuilder.create(); | ||
| setParameters(searchCriteria, cmd, vlanType, false); | ||
| searchCriteria.setParameters("state", IpAddress.State.Free.name()); | ||
| addrs.addAll(_publicIpAddressDao.search(searchCriteria, searchFilter)); // Free IPs on shared network | ||
| } | ||
|
Comment on lines
+2479
to
+2490
Contributor
There was a problem hiding this comment. can we move this to a separate method, and the inner else-clause to the Dao?
Member
Author
There was a problem hiding this comment. @DaanHoogland
Contributor
There was a problem hiding this comment. all done in |
||
| } | ||
|
|
||
| if (freeAddrIds.size() > 0) { | ||
| final SearchBuilder<IPAddressVO> sb2 = _publicIpAddressDao.createSearchBuilder(); | ||
| buildParameters(sb2, cmd, false); | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this be setup to true by default; it's because users can already see public IPs say in an isolated network or VPC. Only stricter env can disable it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also worth testing in the UI -> that users can select shared network IP when adding NIC for example, or deploy a VM? cc @kiranchavala
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rohityadavcloud
some cloud providers might dislike it (as
true) , for security reasons.the UI changes requires some other changes, as normal users cannot list the global setting . we need to add it as a capability of the platform.