2011-06-22 21:22:52 +04:00
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2011, OpenNebula Project Leads (OpenNebula.org) */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef ACL_MANAGER_H_
# define ACL_MANAGER_H_
# include "AuthManager.h"
# include "AclRule.h"
2011-07-03 15:12:00 +04:00
# include "SqlDB.h"
2011-06-22 21:22:52 +04:00
using namespace std ;
2011-06-27 20:41:16 +04:00
/**
* This class manages the ACL rules and the authorization engine
*/
class AclManager : public Callbackable
2011-06-22 21:22:52 +04:00
{
public :
2011-06-29 20:41:49 +04:00
AclManager ( SqlDB * _db ) ;
2011-06-22 21:22:52 +04:00
2011-07-05 18:32:18 +04:00
AclManager ( ) : db ( 0 ) , lastOID ( 0 )
{
pthread_mutex_init ( & mutex , 0 ) ;
} ;
virtual ~ AclManager ( ) ;
2011-06-24 15:22:17 +04:00
2011-06-27 20:41:16 +04:00
/**
* Loads the ACL rule set from the DB
* @ return 0 on success .
*/
int start ( ) ;
2011-06-22 21:22:52 +04:00
/* ---------------------------------------------------------------------- */
/* Rule management */
/* ---------------------------------------------------------------------- */
2011-06-27 20:41:16 +04:00
/**
* Takes an authorization request and checks if any rule in the ACL
* authorizes the operation .
*
* @ param uid The user ID requesting to be authorized
2011-07-07 21:01:04 +04:00
* @ param gid Group ID of the user
2011-06-27 20:41:16 +04:00
* @ param obj_type The object over which the operation will be performed
2011-12-30 01:05:11 +04:00
* @ param obj_perms The object ' s permission attributes
2011-06-27 20:41:16 +04:00
* @ param op The operation to be authorized
* @ return true if the authorization is granted by any rule
*/
2011-12-30 01:05:11 +04:00
const bool authorize ( int uid ,
int gid ,
AuthRequest : : Object obj_type ,
PoolObjectSQL : : Permissions obj_perms ,
AuthRequest : : Operation op ) ;
2011-06-27 20:41:16 +04:00
/**
* Adds a new rule to the ACL rule set
*
* @ param user 64 bit ID and flags
* @ param resource 64 bit ID and flags
* @ param rights 64 bit flags
* @ param error_str Returns the error reason , if any
2011-06-29 20:41:49 +04:00
*
* @ return the oid assigned to the rule on success ,
* - 1 if the rule exists ,
* - 2 if the rule is malformed ,
* - 3 if the DB insert failed
2011-06-27 20:41:16 +04:00
*/
2011-07-05 18:32:18 +04:00
virtual int add_rule ( long long user ,
long long resource ,
long long rights ,
string & error_str ) ;
2011-06-27 20:41:16 +04:00
/**
* Deletes a rule from the ACL rule set
*
2011-06-29 20:41:49 +04:00
* @ param oid Rule id
2011-06-27 20:41:16 +04:00
* @ param error_str Returns the error reason , if any
* @ return 0 on success
*/
2011-07-05 18:32:18 +04:00
virtual int del_rule ( int oid , string & error_str ) ;
2011-06-22 21:22:52 +04:00
2011-12-01 21:56:29 +04:00
/**
* Searches what resources of type obj_type the ACL rules set allows
* the given user to perform the operation .
*
* @ param uid The user ID
* @ param gid Group ID of the user
* @ param obj_type The object over which the search will be performed
* @ param op The operation to be searched
* @ param all True if the user can perform the operation over any object
* @ param oids Set of object IDs over which the user can operate
* @ param gids Set of object group IDs over which the user can operate
*/
void reverse_search ( int uid ,
int gid ,
AuthRequest : : Object obj_type ,
AuthRequest : : Operation op ,
bool & all ,
vector < int > & oids ,
vector < int > & gids ) ;
2011-06-22 21:22:52 +04:00
/* ---------------------------------------------------------------------- */
/* DB management */
/* ---------------------------------------------------------------------- */
/**
2011-06-27 20:41:16 +04:00
* Bootstraps the database table ( s ) associated to the ACL Manager
2011-10-10 17:14:46 +04:00
* @ return 0 on success
2011-06-22 21:22:52 +04:00
*/
2011-10-10 17:14:46 +04:00
static int bootstrap ( SqlDB * _db ) ;
2011-06-22 21:22:52 +04:00
/**
2011-06-27 20:41:16 +04:00
* Dumps the rule set in XML format .
* @ param oss The output stream to dump the rule set contents
2011-06-22 21:22:52 +04:00
* @ return 0 on success
*/
2011-07-05 18:32:18 +04:00
virtual int dump ( ostringstream & oss ) ;
2011-06-22 21:22:52 +04:00
2011-07-05 18:32:18 +04:00
protected :
2011-06-29 20:41:49 +04:00
2011-06-30 13:41:27 +04:00
// ----------------------------------------
// ACL rules management
// ----------------------------------------
2011-06-29 20:41:49 +04:00
/**
* ACL rules . Each rule is indexed by its ' user ' long long attibute ,
* several rules can apply to the same user
*/
2011-06-27 20:41:16 +04:00
multimap < long long , AclRule * > acl_rules ;
2011-06-22 21:22:52 +04:00
2011-06-29 20:41:49 +04:00
/**
* Rules indexed by oid . Stores the same rules as acl_rules
*/
map < int , AclRule * > acl_rules_oids ;
2011-07-05 18:32:18 +04:00
private :
2011-06-29 14:50:16 +04:00
/**
* Gets all rules that apply to the user_req and , if any of them grants
* permission , returns true .
*
* @ param user_req user / group id and flags
* @ param resource_oid_req 64 bit request , ob . type and individual oid
* @ param resource_gid_req 64 bit request , ob . type and group id
* @ param resource_all_req 64 bit request , ob . type and all flag
* @ param rights_req Requested rights
* @ param individual_obj_type Mask with ob . type and individual flags
2011-12-30 19:27:42 +04:00
* @ param group_obj_type Mask with ob . type and group flags
* @ param rules ACL rules to match
2011-06-29 14:50:16 +04:00
*
* @ return true if any rule grants permission
*/
bool match_rules (
long long user_req ,
long long resource_oid_req ,
long long resource_gid_req ,
long long resource_all_req ,
long long rights_req ,
long long individual_obj_type ,
2011-12-30 19:27:42 +04:00
long long group_obj_type ,
multimap < long long , AclRule * > & rules ) ;
/**
* Wrapper for match_rules . It will check if any rules in the temporary
* multimap or in the internal one grants permission .
*
* @ param user_req user / group id and flags
* @ param resource_oid_req 64 bit request , ob . type and individual oid
* @ param resource_gid_req 64 bit request , ob . type and group id
* @ param resource_all_req 64 bit request , ob . type and all flag
* @ param rights_req Requested rights
* @ param individual_obj_type Mask with ob . type and individual flags
* @ param group_obj_type Mask with ob . type and group flags
* @ param tmp_rules Temporary map group of ACL rules
*
* @ return true if any rule grants permission
*/
bool match_rules_wrapper (
long long user_req ,
long long resource_oid_req ,
long long resource_gid_req ,
long long resource_all_req ,
long long rights_req ,
long long individual_obj_type ,
long long group_obj_type ,
multimap < long long , AclRule * > & tmp_rules ) ;
2011-06-29 14:50:16 +04:00
2011-06-30 13:41:27 +04:00
// ----------------------------------------
// Mutex synchronization
// ----------------------------------------
pthread_mutex_t mutex ;
/**
* Function to lock the manager
*/
void lock ( )
{
pthread_mutex_lock ( & mutex ) ;
} ;
/**
* Function to unlock the manager
*/
void unlock ( )
{
pthread_mutex_unlock ( & mutex ) ;
} ;
2011-06-27 20:41:16 +04:00
// ----------------------------------------
// DataBase implementation variables
// ----------------------------------------
2011-06-22 21:22:52 +04:00
2011-06-27 20:41:16 +04:00
/**
* Pointer to the database .
*/
SqlDB * db ;
2011-06-22 21:22:52 +04:00
2011-06-29 20:41:49 +04:00
/**
* Last object ID assigned to a rule .
*/
int lastOID ;
/**
* Tablename for the ACL rules
*/
2011-06-27 20:41:16 +04:00
static const char * table ;
2011-06-22 21:22:52 +04:00
2011-06-27 20:41:16 +04:00
static const char * db_names ;
2011-06-22 21:22:52 +04:00
2011-06-27 20:41:16 +04:00
static const char * db_bootstrap ;
2011-06-29 20:41:49 +04:00
/**
* Inserts the last oid into the pool_control table
*/
void update_lastOID ( ) ;
2011-06-27 20:41:16 +04:00
/**
* Callback function to unmarshall the ACL rules
* @ param num the number of columns read from the DB
* @ param names the column names
* @ param vaues the column values
* @ return 0 on success
*/
int select_cb ( void * nil , int num , char * * values , char * * names ) ;
/**
* Reads the ACL rule set from the database .
* @ param db pointer to the db
* @ return 0 on success
*/
int select ( ) ;
/**
* Inserts the ACL rule in the database .
* @ param rule to insert
* @ return 0 on success
*/
2011-07-04 21:14:43 +04:00
int insert ( AclRule * rule )
{
return insert ( rule , db ) ;
} ;
/**
* Inserts the ACL rule in the database .
* @ param rule to insert
* @ db db pointer
*
* @ return 0 on success
*/
static int insert ( AclRule * rule , SqlDB * db ) ;
2011-06-27 20:41:16 +04:00
/**
* Drops an ACL rule from the database
2011-06-29 20:41:49 +04:00
*
* @ param oid Rule id
2011-06-27 20:41:16 +04:00
* @ return 0 on success
*/
2011-06-29 20:41:49 +04:00
int drop ( int oid ) ;
/**
* Callback to set the lastOID
*/
int init_cb ( void * nil , int num , char * * values , char * * names ) ;
2011-06-22 21:22:52 +04:00
} ;
# endif /*ACL_MANAGER_H*/