Allow root admin to deploy in VPCs in child domains (#6832)

and make root admin permissions configurable

Author: DaanHoogland

api/src/main/java/com/cloud/network/NetworkModel.java

@@ -89,9 +89,12 @@ public interface NetworkModel {
     List<String> metadataFileNames = new ArrayList<>(Arrays.asList(SERVICE_OFFERING_FILE, AVAILABILITY_ZONE_FILE, LOCAL_HOSTNAME_FILE, LOCAL_IPV4_FILE, PUBLIC_HOSTNAME_FILE, PUBLIC_IPV4_FILE,
             INSTANCE_ID_FILE, VM_ID_FILE, PUBLIC_KEYS_FILE, CLOUD_IDENTIFIER_FILE, HYPERVISOR_HOST_NAME_FILE));
 
-    static final ConfigKey<Integer> MACIdentifier = new ConfigKey<Integer>("Advanced",Integer.class, "mac.identifier", "0",
+    static final ConfigKey<Integer> MACIdentifier = new ConfigKey<>("Advanced",Integer.class, "mac.identifier", "0",
             "This value will be used while generating the mac addresses for isolated and shared networks. The hexadecimal equivalent value will be present at the 2nd octet of the mac address. Default value is null which means this feature is disabled.Its scope is global.", true, ConfigKey.Scope.Global);
 
+    static final ConfigKey<Boolean> AdminIsAllowedToDeployAnywhere = new ConfigKey<>("Advanced",Boolean.class, "admin.is.allowed.to.deploy.anywhere", "false",
+            "This will determine if the root admin is allowed to deploy in networks in subdomains.", true, ConfigKey.Scope.Global);
+
     /**
      * Lists IP addresses that belong to VirtualNetwork VLANs
      *

server/src/main/java/com/cloud/network/NetworkModelImpl.java

@@ -147,6 +147,7 @@
 
 public class NetworkModelImpl extends ManagerBase implements NetworkModel, Configurable {
     static final Logger s_logger = Logger.getLogger(NetworkModelImpl.class);
+    public static final String UNABLE_TO_USE_NETWORK = "Unable to use network with id= %s, permission denied";
     @Inject
     EntityManager _entityMgr;
     @Inject
@@ -1665,39 +1666,49 @@ public void checkCapabilityForProvider(Set<Provider> providers, Service service,
     }
 
     @Override
-    public void checkNetworkPermissions(Account caller, Network network) {
-        // dahn 20140310: I was thinking of making this an assert but
-        //                as we hardly ever test with asserts I think
-        //                we better make sure at runtime.
-        if (network == null) {
-            throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
-        }
-        // Perform account permission check
-        if (network.getGuestType() != GuestType.Shared || network.getAclType() == ACLType.Account) {
-            AccountVO networkOwner = _accountDao.findById(network.getAccountId());
-            if (networkOwner == null)
-                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
-                    ", network does not have an owner");
-            if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
-                checkProjectNetworkPermissions(caller, networkOwner, network);
+    public final void checkNetworkPermissions(Account caller, Network network) {
+        if (_accountMgr.isRootAdmin(caller.getAccountId()) && Boolean.TRUE.equals(AdminIsAllowedToDeployAnywhere.value())) {
+            if (s_logger.isDebugEnabled()) {
+                s_logger.debug("root admin is permitted to do stuff on every network");
+            }
+        } else {
+            if (network == null) {
+                throw new CloudRuntimeException("cannot check permissions on (Network) <null>");
+            }
+            s_logger.info(String.format("Checking permission for account %s (%s) on network %s (%s)", caller.getAccountName(), caller.getUuid(), network.getName(), network.getUuid()));
+            if (network.getGuestType() != GuestType.Shared || network.getAclType() == ACLType.Account) {
+                checkAccountNetworkPermissions(caller, network);
+
             } else {
-                List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
-                NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
-                if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
-                    throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
-                        ", permission denied");
-                }
+                checkDomainNetworkPermissions(caller, network);
             }
+        }
+    }
 
+    private void checkAccountNetworkPermissions(Account caller, Network network) {
+        AccountVO networkOwner = _accountDao.findById(network.getAccountId());
+        if (networkOwner == null)
+            throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() +
+                ", network does not have an owner");
+        if (!Account.Type.PROJECT.equals(caller.getType()) && Account.Type.PROJECT.equals(networkOwner.getType())) {
+            checkProjectNetworkPermissions(caller, networkOwner, network);
         } else {
-            if (!isNetworkAvailableInDomain(network.getId(), caller.getDomainId())) {
-                DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
-                if (callerDomain == null) {
-                    throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
-                }
-                throw new PermissionDeniedException("Shared network id=" + ((NetworkVO)network).getUuid() + " is not available in domain id=" +
-                        callerDomain.getUuid());
+            List<NetworkVO> networkMap = _networksDao.listBy(caller.getId(), network.getId());
+            NetworkPermissionVO networkPermission = _networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId());
+            if (CollectionUtils.isEmpty(networkMap) && networkPermission == null) {
+                throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
+            }
+        }
+    }
+
+    private void checkDomainNetworkPermissions(Account caller, Network network) {
+        if (!isNetworkAvailableInDomain(network.getId(), caller.getDomainId())) {
+            DomainVO callerDomain = _domainDao.findById(caller.getDomainId());
+            if (callerDomain == null) {
+                throw new CloudRuntimeException("cannot check permission on account " + caller.getAccountName() + " whose domain does not exist");
             }
+            throw new PermissionDeniedException("Shared network id=" + ((NetworkVO) network).getUuid() + " is not available in domain id=" +
+                    callerDomain.getUuid());
         }
     }
 
@@ -1710,13 +1721,11 @@ private void checkProjectNetworkPermissions(Account owner, Account networkOwner,
         ProjectAccount projectAccountUser = _projectAccountDao.findByProjectIdUserId(project.getId(), user.getAccountId(), user.getId());
         if (projectAccountUser != null) {
             if (!_projectAccountDao.canUserAccessProjectAccount(user.getAccountId(), user.getId(), networkOwner.getId())) {
-                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO)network).getUuid() +
-                        ", permission denied");
+                throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO)network).getUuid()));
             }
         } else {
             if (!_projectAccountDao.canAccessProjectAccount(owner.getAccountId(), networkOwner.getId())) {
-                throw new PermissionDeniedException("Unable to use network with id= " + ((NetworkVO) network).getUuid() +
-                        ", permission denied");
+                throw new PermissionDeniedException(String.format(UNABLE_TO_USE_NETWORK, ((NetworkVO) network).getUuid()));
             }
         }
     }
@@ -2663,7 +2672,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] {MACIdentifier};
+        return new ConfigKey<?>[] {MACIdentifier, AdminIsAllowedToDeployAnywhere};
     }
 
     @Override

server/src/main/java/com/cloud/network/NetworkServiceImpl.java

@@ -1938,7 +1938,7 @@ public Pair<List<? extends Network>, Integer> searchForNetworks(ListNetworksCmd
         Boolean isSystem = cmd.getIsSystem();
         String aclType = cmd.getAclType();
         Long projectId = cmd.getProjectId();
-        List<Long> permittedAccounts = new ArrayList<Long>();
+        List<Long> permittedAccounts = new ArrayList<>();
         String path = null;
         Long physicalNetworkId = cmd.getPhysicalNetworkId();
         List<String> supportedServicesStr = cmd.getSupportedServices();

server/src/test/java/com/cloud/network/NetworkModelTest.java

@@ -33,6 +33,7 @@
 import java.util.List;
 import java.util.Set;
 
+import com.cloud.user.AccountManager;
 import org.apache.cloudstack.network.NetworkPermissionVO;
 import org.apache.cloudstack.network.dao.NetworkPermissionDao;
 import org.junit.Before;
@@ -114,6 +115,8 @@ public class NetworkModelTest {
     private DomainDao domainDao;
     @Mock
     private ProjectDao projectDao;
+    @Mock
+    private AccountManager _accountMgr;
 
     private static final long ZONE_1_ID = 1L;
     private static final long ZONE_2_ID = 2L;
@@ -307,6 +310,21 @@ public void testCheckNetworkPermissions() {
         networkModel.checkNetworkPermissions(caller, network);
     }
 
+    @Test
+    public void testCheckNetworkPermissionsForAdmin() {
+        long accountId = 1L;
+        AccountVO caller = mock(AccountVO.class);
+        when(caller.getId()).thenReturn(accountId);
+        when(caller.getType()).thenReturn(Account.Type.ADMIN);
+        NetworkVO network = mock(NetworkVO.class);
+        when(network.getGuestType()).thenReturn(Network.GuestType.Isolated);
+        when(network.getAccountId()).thenReturn(accountId);
+        when(accountDao.findById(accountId)).thenReturn(caller);
+        when(networkDao.listBy(caller.getId(), network.getId())).thenReturn(List.of(network));
+        when(networkPermissionDao.findByNetworkAndAccount(network.getId(), caller.getId())).thenReturn(mock(NetworkPermissionVO.class));
+        networkModel.checkNetworkPermissions(caller, network);
+    }
+
     @Test(expected = CloudRuntimeException.class)
     public void testCheckNetworkPermissionsNullNetwork() {
         AccountVO caller = mock(AccountVO.class);