fix: disable domain sharing if non_default_domain_projects turned off

yunionio · Jun 28, 2020 · a23f57d · a23f57d
1 parent 561465e
commit a23f57d
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 13 deletions.
diff --git a/pkg/cloudcommon/db/sharablebase.go b/pkg/cloudcommon/db/sharablebase.go
@@ -162,8 +162,14 @@ func SharableManagerValidateCreateData(
 			input.IsPublic = &isPublic
 			reqScope = rbacutils.ScopeSystem
 		} else if input.PublicScope == string(rbacutils.ScopeDomain) {
-			input.IsPublic = &isPublic
-			reqScope = rbacutils.ScopeDomain
+			if consts.GetNonDefaultDomainProjects() {
+				// only if non_default_domain_projects turned on, allow sharing to domain
+				input.IsPublic = &isPublic
+				reqScope = rbacutils.ScopeDomain
+			} else {
+				input.IsPublic = &isPublic
+				reqScope = rbacutils.ScopeSystem
+			}
 		} else if input.IsPublic != nil && *input.IsPublic && len(input.PublicScope) == 0 {
 			// backward compatible, if only is_public is true, make it share to system
 			input.IsPublic = &isPublic
@@ -174,17 +180,23 @@ func SharableManagerValidateCreateData(
 			input.PublicScope = "" // string(rbacutils.ScopeNone)
 		}
 	case rbacutils.ScopeDomain:
-		if input.PublicScope == string(rbacutils.ScopeSystem) {
-			input.IsPublic = &isPublic
-			reqScope = rbacutils.ScopeSystem
-		} else if input.IsPublic != nil && *input.IsPublic && len(input.PublicScope) == 0 {
-			// backward compatible, if only is_public is true, make it share to system
-			input.IsPublic = &isPublic
-			input.PublicScope = string(rbacutils.ScopeSystem)
-			reqScope = rbacutils.ScopeSystem
+		if consts.GetNonDefaultDomainProjects() {
+			// only if non_default_domain_projects turned on, allow sharing domain resources
+			if input.PublicScope == string(rbacutils.ScopeSystem) {
+				input.IsPublic = &isPublic
+				reqScope = rbacutils.ScopeSystem
+			} else if input.IsPublic != nil && *input.IsPublic && len(input.PublicScope) == 0 {
+				// backward compatible, if only is_public is true, make it share to system
+				input.IsPublic = &isPublic
+				input.PublicScope = string(rbacutils.ScopeSystem)
+				reqScope = rbacutils.ScopeSystem
+			} else {
+				input.IsPublic = nil
+				input.PublicScope = "" // string(rbacutils.ScopeNone)
+			}
 		} else {
 			input.IsPublic = nil
-			input.PublicScope = "" // string(rbacutils.ScopeNone)
+			input.PublicScope = string(rbacutils.ScopeNone)
 		}
 	default:
 		return input, errors.Wrap(httperrors.ErrInputParameter, "the resource is not sharable")
@@ -423,6 +435,9 @@ func SharablePerformPublic(model ISharableBaseModel, ctx context.Context, userCr
 			targetScope = rbacutils.ScopeNone
 		}
 	case rbacutils.ScopeDomain:
+		if !consts.GetNonDefaultDomainProjects() {
+			return errors.Wrap(httperrors.ErrForbidden, "not allow to share to domain when non_default_domain_projects turned off")
+		}
 		if len(requireIds) == 0 {
 			return errors.Wrap(httperrors.ErrForbidden, "require to be shared to system")
 		}
@@ -555,7 +570,8 @@ func SharableModelIsShared(model ISharableBaseModel) bool {
 func SharableModelCustomizeCreate(model ISharableBaseModel, ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data jsonutils.JSONObject) error {
 	if !data.Contains("public_scope") {
 		resScope := model.GetModelManager().ResourceScope()
-		if resScope == rbacutils.ScopeDomain {
+		if resScope == rbacutils.ScopeDomain && consts.GetNonDefaultDomainProjects() {
+			// only if non_default_domain_projects turned on, do the following
 			isManaged := false
 			if managedModel, ok := model.(IManagedResourceBase); ok {
 				isManaged = managedModel.IsManaged()

diff --git a/pkg/compute/models/networks.go b/pkg/compute/models/networks.go
@@ -1615,7 +1615,8 @@ func (self *SNetwork) CustomizeCreate(ctx context.Context, userCred mcclient.Tok
 		if self.ServerType == api.NETWORK_TYPE_GUEST && !self.IsManaged() {
 			if db.IsAdminAllowPerform(userCred, self, "public") && ownerId.GetProjectDomainId() == userCred.GetProjectDomainId() {
 				self.SetShare(rbacutils.ScopeSystem)
-			} else if db.IsDomainAllowPerform(userCred, self, "public") && ownerId.GetProjectId() == userCred.GetProjectId() {
+			} else if db.IsDomainAllowPerform(userCred, self, "public") && ownerId.GetProjectId() == userCred.GetProjectId() && consts.GetNonDefaultDomainProjects() {
+				// only if non_default_domain_projects turned on, share to domain
 				self.SetShare(rbacutils.ScopeDomain)
 			} else {
 				self.SetShare(rbacutils.ScopeNone)