2009-07-09 18:34:34 +04:00
/* -------------------------------------------------------------------------- */
2018-01-02 20:27:37 +03:00
/* Copyright 2002-2018, OpenNebula Project, OpenNebula Systems */
2009-07-09 18:34:34 +04:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef USER_POOL_H_
# define USER_POOL_H_
# include "PoolSQL.h"
# include "User.h"
Feature #407: Add 'GID' attribute to some pool objects; change *pool.info XML-RPC flag meaning; update onedb migrator; fix tests.
* VM, VMTEMPLATE, VNET & IMAGE objects have a GID attribute, and a table column. The group id is inherited from the user creating the object, except for VMs created from Templates, that inherit the Template's group.
* The new flag meaning has been modified in src/rm sources and CLI commands for one.(vm,template,vnet,image)pool.info . It changes from
-2 all, -1 mine & public, >=0 UID
to
-3 mine, -2 all, -1 mine & group
* USER has a group, but not secondary ones. The user_pool table doesn't have a GID column, we'll deal with it later when the group-users relations are implemented.
* onedb migrator 1.rb: deleted USERNAME, and GID added.
2011-05-16 19:00:27 +04:00
# include "GroupPool.h"
2017-10-19 17:41:42 +03:00
# include "CachePool.h"
# include "LoginToken.h"
2009-07-09 18:34:34 +04:00
# include <time.h>
# include <sstream>
# include <iostream>
# include <vector>
using namespace std ;
2010-07-08 21:45:00 +04:00
class AuthRequest ; //Forward definition of AuthRequest
2009-07-09 18:34:34 +04:00
/**
* The User Pool class . . . .
*/
class UserPool : public PoolSQL
{
public :
2011-10-20 14:53:36 +04:00
UserPool ( SqlDB * db ,
2012-10-09 13:56:01 +04:00
time_t __session_expiration_time ,
2016-02-04 15:10:42 +03:00
vector < const VectorAttribute * > hook_mads ,
2014-01-24 21:27:36 +04:00
const string & remotes_location ,
2014-02-05 22:30:35 +04:00
bool is_federation_slave ) ;
2009-07-09 18:34:34 +04:00
~ UserPool ( ) { } ;
/**
* Function to allocate a new User object
* @ param oid the id assigned to the User
2010-04-28 20:37:45 +04:00
* @ return the oid assigned to the object or - 1 in case of failure
2009-07-09 18:34:34 +04:00
*/
int allocate (
2010-08-05 21:28:28 +04:00
int * oid ,
2011-06-30 13:31:00 +04:00
const string & uname ,
2016-09-29 13:22:07 +03:00
int gid ,
2011-06-30 13:31:00 +04:00
const string & password ,
2011-10-11 21:15:13 +04:00
const string & auth ,
2010-08-05 21:28:28 +04:00
bool enabled ,
2016-09-29 13:22:07 +03:00
const set < int > & gids ,
2010-08-05 21:28:28 +04:00
string & error_str ) ;
2009-07-09 18:34:34 +04:00
2014-01-29 16:04:07 +04:00
/**
* Drops the object ' s data in the data base . The object mutex SHOULD be
* locked .
* @ param objsql a pointer to the object
* @ param error_msg Error reason , if any
* @ return 0 on success , - 1 DB error
*/
int drop ( PoolObjectSQL * objsql , string & error_msg ) ;
2009-07-09 18:34:34 +04:00
/**
* Function to get a User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param oid User unique id
* @ param lock locks the User mutex
2011-03-14 21:06:39 +03:00
* @ return a pointer to the User , 0 if the User could not be loaded
2009-07-09 18:34:34 +04:00
*/
2018-03-18 01:31:52 +03:00
User * get ( int oid )
2009-07-09 18:34:34 +04:00
{
2018-03-18 01:31:52 +03:00
User * u = static_cast < User * > ( PoolSQL : : get ( oid ) ) ;
2017-10-19 17:41:42 +03:00
if ( u ! = 0 )
{
2017-10-20 15:17:55 +03:00
u - > session = get_session_token ( oid ) ;
2017-10-19 17:41:42 +03:00
}
return u ;
2011-03-14 21:06:39 +03:00
} ;
2009-07-09 18:34:34 +04:00
/**
* Function to get a User from the pool , if the object is not in memory
* it is loaded from the DB
* @ param username
* @ param lock locks the User mutex
* @ return a pointer to the User , 0 if the User could not be loaded
*/
2018-03-18 01:31:52 +03:00
User * get ( string name )
2009-07-09 18:34:34 +04:00
{
2012-01-25 15:26:46 +04:00
// The owner is set to -1, because it is not used in the key() method
2018-03-18 01:31:52 +03:00
User * u = static_cast < User * > ( PoolSQL : : get ( name , - 1 ) ) ;
2017-10-19 17:41:42 +03:00
if ( u ! = 0 )
{
2017-10-20 15:17:55 +03:00
u - > session = get_session_token ( u - > oid ) ;
2017-10-19 17:41:42 +03:00
}
return u ;
2011-03-14 21:06:39 +03:00
} ;
2009-07-09 18:34:34 +04:00
2017-09-28 17:55:57 +03:00
/**
* Function to get the token password of an user from the pool
* @ param uid creator of the object
* @ param uid owner of the object , only used if the creator not exists
*
* @ return the user ' s token password
*/
string get_token_password ( int oid , int bck_oid ) ;
2014-01-22 21:54:48 +04:00
/**
* Update a particular User . This method does not update the user ' s quotas
2009-07-09 18:34:34 +04:00
* @ param user pointer to User
* @ return 0 on success
*/
2015-12-10 17:39:23 +03:00
int update ( PoolObjectSQL * objsql ) ;
2014-01-22 21:54:48 +04:00
/**
* Update a particular User ' s Quotas
* @ param user pointer to User
* @ return 0 on success
*/
int update_quotas ( User * user ) ;
2010-04-05 02:07:31 +04:00
2009-07-09 18:34:34 +04:00
/**
* Bootstraps the database table ( s ) associated to the User pool
2011-10-10 17:14:46 +04:00
* @ return 0 on success
2009-07-09 18:34:34 +04:00
*/
2011-10-10 17:14:46 +04:00
static int bootstrap ( SqlDB * _db )
2009-07-09 18:34:34 +04:00
{
2011-10-10 17:14:46 +04:00
return User : : bootstrap ( _db ) ;
2009-07-09 18:34:34 +04:00
} ;
2010-04-05 02:07:31 +04:00
2011-05-24 17:15:23 +04:00
/**
* Returns whether there is a user with given username / password or not
* @ param session , colon separated username and password string
* @ param uid of the user if authN succeeded - 1 otherwise
* @ param gid of the user if authN succeeded - 1 otherwise
2011-06-30 13:31:00 +04:00
* @ param uname of the user if authN succeeded " " otherwise
* @ param gname of the group if authN succeeded " " otherwise
2013-08-23 14:39:14 +04:00
* @ param group_ids the user groups if authN succeeded , is empty otherwise
2014-05-27 14:58:46 +04:00
* @ param umask of the user , 0 otherwise
2011-07-07 21:01:04 +04:00
*
2011-05-24 17:15:23 +04:00
* @ return false if authn failed , true otherwise
*/
2012-10-09 13:56:01 +04:00
bool authenticate ( const string & session ,
2014-10-28 20:52:48 +03:00
string & password ,
2012-10-09 13:56:01 +04:00
int & uid ,
2011-06-30 13:31:00 +04:00
int & gid ,
string & uname ,
2013-08-23 14:39:14 +04:00
string & gname ,
2014-05-27 14:58:46 +04:00
set < int > & group_ids ,
int & umask ) ;
2010-07-08 21:45:00 +04:00
/**
2012-05-30 04:20:16 +04:00
* Returns whether the operations described in a authorization request are
* authorized ot not .
2010-07-08 21:45:00 +04:00
* @ param ar , an Authorization Request
* @ return - 1 if authz failed , 0 otherwise
*/
2010-07-09 14:10:05 +04:00
static int authorize ( AuthRequest & ar ) ;
2010-07-08 21:45:00 +04:00
2009-07-09 18:34:34 +04:00
/**
* Dumps the User pool in XML format . A filter can be also added to the
* query
* @ param oss the output stream to dump the pool contents
* @ param where filter for the objects , defaults to all
2014-01-13 19:30:43 +04:00
* @ param limit parameters used for pagination
2018-07-24 12:41:41 +03:00
* @ param desc descending order of pool elements
2009-07-09 18:34:34 +04:00
*
* @ return 0 on success
*/
2018-07-24 12:41:41 +03:00
int dump ( ostringstream & oss , const string & where , const string & limit ,
bool desc ) ;
2009-07-09 18:34:34 +04:00
2011-10-11 21:15:13 +04:00
/**
2012-10-09 13:56:01 +04:00
* Name for the OpenNebula core authentication process
2011-10-11 21:15:13 +04:00
*/
static const char * CORE_AUTH ;
2011-10-21 03:17:46 +04:00
/**
2012-10-09 13:56:01 +04:00
* Name for the OpenNebula server ( delegated ) authentication process
2011-10-21 03:17:46 +04:00
*/
static const char * SERVER_AUTH ;
/**
* Name for the OpenNebula public authentication process . It only
* allows delegated
*/
static const char * PUBLIC_AUTH ;
2011-10-25 20:48:24 +04:00
/**
* Name for the default Sunstone server user
*/
static const char * SERVER_NAME ;
2011-10-21 03:17:46 +04:00
2012-03-01 21:48:25 +04:00
/**
* Name of the oneadmin user
*/
static string oneadmin_name ;
/**
* Identifier for the oneadmin user
*/
static const int ONEADMIN_ID ;
2009-07-09 18:34:34 +04:00
private :
2011-10-20 14:53:36 +04:00
//--------------------------------------------------------------------------
// Configuration Attributes for Users
// -------------------------------------------------------------------------
/**
* Authentication session expiration time
* */
static time_t _session_expiration_time ;
2017-10-19 17:41:42 +03:00
CachePool < SessionToken > cache ;
2017-10-20 15:17:55 +03:00
SessionToken * get_session_token ( int oid )
{
2017-10-19 17:41:42 +03:00
return cache . get_resource ( oid ) ;
}
2017-10-20 15:17:55 +03:00
void delete_session_token ( int oid )
{
2017-10-19 17:41:42 +03:00
cache . delete_resource ( oid ) ;
}
2011-10-21 03:17:46 +04:00
/**
* Function to authenticate internal ( known ) users
*/
2011-10-21 12:15:26 +04:00
bool authenticate_internal ( User * user ,
2011-10-21 03:17:46 +04:00
const string & token ,
2014-10-28 20:52:48 +03:00
string & password ,
2011-10-21 12:15:26 +04:00
int & user_id ,
int & group_id ,
string & uname ,
2013-08-23 14:39:14 +04:00
string & gname ,
2014-05-27 14:58:46 +04:00
set < int > & group_ids ,
int & umask ) ;
2011-10-24 20:04:00 +04:00
/**
* Function to authenticate internal users using a server driver
*/
bool authenticate_server ( User * user ,
const string & token ,
2014-10-28 20:52:48 +03:00
string & password ,
2011-10-24 20:04:00 +04:00
int & user_id ,
int & group_id ,
string & uname ,
2013-08-23 14:39:14 +04:00
string & gname ,
2014-05-27 14:58:46 +04:00
set < int > & group_ids ,
int & umask ) ;
2011-10-24 20:04:00 +04:00
2012-10-09 13:56:01 +04:00
2011-10-21 03:17:46 +04:00
/**
* Function to authenticate external ( not known ) users
*/
2013-08-23 14:39:14 +04:00
bool authenticate_external ( const string & username ,
const string & token ,
2014-10-28 20:52:48 +03:00
string & password ,
2013-08-23 14:39:14 +04:00
int & user_id ,
int & group_id ,
string & uname ,
string & gname ,
2014-05-27 14:58:46 +04:00
set < int > & group_ids ,
int & umask ) ;
2009-07-09 18:34:34 +04:00
/**
* Factory method to produce User objects
* @ return a pointer to the new User
*/
PoolObjectSQL * create ( )
{
2011-10-11 21:15:13 +04:00
return new User ( - 1 , - 1 , " " , " " , " " , UserPool : : CORE_AUTH , true ) ;
2009-07-09 18:34:34 +04:00
} ;
} ;
2010-09-02 22:44:14 +04:00
# endif /*USER_POOL_H_*/