2011-06-22 19:22:52 +02:00
/* -------------------------------------------------------------------------- */
2021-02-09 16:07:56 +01:00
/* Copyright 2002-2021, OpenNebula Project, OpenNebula Systems */
2011-06-22 19:22:52 +02:00
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
# ifndef ACL_MANAGER_H_
# define ACL_MANAGER_H_
2020-07-24 16:00:59 +02:00
# include "Listener.h"
2012-05-31 16:51:07 +02:00
# include "AuthRequest.h"
2012-01-03 02:58:23 +01:00
# include "PoolObjectSQL.h"
2011-06-22 19:22:52 +02:00
2020-07-24 16:00:59 +02:00
class AclRule ;
2012-01-03 02:58:23 +01:00
class PoolObjectAuth ;
2019-12-10 11:45:15 +01:00
class SqlDB ;
2012-01-03 02:58:23 +01:00
2011-06-27 18:41:16 +02:00
/**
* This class manages the ACL rules and the authorization engine
*/
2020-07-24 16:00:59 +02:00
class AclManager : public Callbackable
2011-06-22 19:22:52 +02:00
{
public :
2014-01-30 11:41:56 +01:00
/**
* @ param _db pointer to the DB
* @ param zone_id of the Zone
2014-02-18 18:54:36 +01:00
* @ param is_federation_slave true is this oned is a federation slave . If
* it is true , it will reload periodically rules from the DB
2014-01-30 11:41:56 +01:00
* @ param timer_period period to reload the rules
*/
2014-02-18 18:54:36 +01:00
AclManager ( SqlDB * _db , int zone_id , bool is_federation_slave , time_t timer ) ;
2011-07-05 16:32:18 +02:00
virtual ~ AclManager ( ) ;
2011-06-24 13:22:17 +02:00
2011-06-27 18:41:16 +02:00
/**
2014-01-27 17:44:27 +01:00
* Loads the ACL rule set from the DB , and starts the refresh loop is
* refresh_cache is set
2011-06-27 18:41:16 +02:00
* @ return 0 on success .
*/
int start ( ) ;
2014-01-27 17:44:27 +01:00
void finalize ( ) ;
2020-07-24 16:00:59 +02:00
void join_thread ( ) ;
2017-05-08 23:57:51 +02:00
/**
* Reload the ACL rules from the DB . This function needs to be used when
* a server becomes leader of the zone as the ACL cache maybe out - dated
*/
void reload_rules ( )
{
select ( ) ;
}
2011-06-22 19:22:52 +02:00
/* ---------------------------------------------------------------------- */
/* Rule management */
/* ---------------------------------------------------------------------- */
2011-06-27 18:41:16 +02:00
/**
* Takes an authorization request and checks if any rule in the ACL
* authorizes the operation .
*
* @ param uid The user ID requesting to be authorized
2013-08-23 12:39:14 +02:00
* @ param user_groups Set of group IDs that the user is part of
2011-12-29 22:05:11 +01:00
* @ param obj_perms The object ' s permission attributes
2011-06-27 18:41:16 +02:00
* @ param op The operation to be authorized
* @ return true if the authorization is granted by any rule
*/
2020-07-05 22:01:32 +02:00
bool authorize ( int uid ,
const std : : set < int > & user_groups ,
const PoolObjectAuth & obj_perms ,
2020-09-05 19:29:49 +02:00
AuthRequest : : Operation op ) const ;
2018-05-23 14:42:57 +02:00
/**
* Takes an authorization request for oneadmin
* and checks if the resource is locked
*
* @ param obj_perms The object ' s permission attributes
* @ param op The operation to be authorized
* @ return true if the authorization is granted for oneadmin
*/
2020-07-05 22:01:32 +02:00
bool oneadmin_authorize ( const PoolObjectAuth & obj_perms ,
2020-09-05 19:29:49 +02:00
AuthRequest : : Operation op ) const ;
2011-12-29 22:05:11 +01:00
2011-06-27 18:41:16 +02:00
/**
* Adds a new rule to the ACL rule set
*
* @ param user 64 bit ID and flags
* @ param resource 64 bit ID and flags
* @ param rights 64 bit flags
2014-01-21 12:52:25 +01:00
* @ param zone 64 bit flags
2011-06-27 18:41:16 +02:00
* @ param error_str Returns the error reason , if any
2011-06-29 18:41:49 +02:00
*
* @ return the oid assigned to the rule on success ,
* - 1 if the rule exists ,
* - 2 if the rule is malformed ,
* - 3 if the DB insert failed
2011-06-27 18:41:16 +02:00
*/
2014-01-30 11:41:56 +01:00
virtual int add_rule ( long long user ,
long long resource ,
2011-07-05 16:32:18 +02:00
long long rights ,
2014-01-21 12:52:25 +01:00
long long zone ,
2020-07-02 22:42:10 +02:00
std : : string & error_str ) ;
2011-06-27 18:41:16 +02:00
/**
* Deletes a rule from the ACL rule set
*
2011-06-29 18:41:49 +02:00
* @ param oid Rule id
2011-06-27 18:41:16 +02:00
* @ param error_str Returns the error reason , if any
* @ return 0 on success
*/
2020-07-02 22:42:10 +02:00
virtual int del_rule ( int oid , std : : string & error_str ) ;
2011-06-22 19:22:52 +02:00
2013-12-13 11:43:34 +01:00
/**
* Deletes a new rule from the ACL rule set
*
* @ param user 64 bit ID and flags
* @ param resource 64 bit ID and flags
* @ param rights 64 bit flags
2014-01-21 12:52:25 +01:00
* @ param zone 64 bit flags
2013-12-13 11:43:34 +01:00
*
* @ param error_str Returns the error reason , if any
* @ return 0 on success
*/
virtual int del_rule ( long long user ,
long long resource ,
long long rights ,
2014-01-21 12:52:25 +01:00
long long zone ,
2020-07-02 22:42:10 +02:00
std : : string & error_str ) ;
2013-12-13 11:43:34 +01:00
2012-04-11 14:45:46 +02:00
/**
* Deletes rules that apply to this user id
*
* @ param uid The user id
*/
void del_uid_rules ( int uid ) ;
/**
* Deletes rules that apply to this group id
*
* @ param gid The group id
*/
void del_gid_rules ( int gid ) ;
2013-01-23 16:46:14 +01:00
/**
* Deletes rules that apply to this cluster id
*
* @ param cid The cluster id
*/
void del_cid_rules ( int cid ) ;
2014-02-21 15:23:24 +01:00
/**
* Deletes rules that apply to this cluster id
*
* @ param zid The zone id
*/
void del_zid_rules ( int zid ) ;
2012-04-16 16:24:42 +02:00
/**
* Deletes all rules that apply to this resource
*
* @ param oid Id of the deleted object
* @ param obj_type Object type
*/
void del_resource_rules ( int oid , PoolObjectSQL : : ObjectType obj_type ) ;
2011-12-01 09:56:29 -08:00
/**
* Searches what resources of type obj_type the ACL rules set allows
* the given user to perform the operation .
*
* @ param uid The user ID
2013-08-23 15:36:43 +02:00
* @ param user_groups Set of group IDs that the user is part of
2011-12-01 09:56:29 -08:00
* @ param obj_type The object over which the search will be performed
* @ param op The operation to be searched
* @ param all True if the user can perform the operation over any object
* @ param oids Set of object IDs over which the user can operate
* @ param gids Set of object group IDs over which the user can operate
2013-01-17 12:33:33 +01:00
* @ param cids Set of object cluster IDs over which the user can operate
2011-12-01 09:56:29 -08:00
*/
2012-01-03 02:58:23 +01:00
void reverse_search ( int uid ,
2020-07-02 22:42:10 +02:00
const std : : set < int > & user_groups ,
2012-01-03 02:58:23 +01:00
PoolObjectSQL : : ObjectType obj_type ,
AuthRequest : : Operation op ,
2014-09-23 20:18:18 +02:00
bool disable_all_acl ,
bool disable_cluster_acl ,
bool disable_group_acl ,
2012-01-03 02:58:23 +01:00
bool & all ,
2020-07-02 22:42:10 +02:00
std : : vector < int > & oids ,
std : : vector < int > & gids ,
std : : vector < int > & cids ) ;
2011-12-01 09:56:29 -08:00
2011-06-22 19:22:52 +02:00
/* ---------------------------------------------------------------------- */
/* DB management */
/* ---------------------------------------------------------------------- */
/**
2011-06-27 18:41:16 +02:00
* Bootstraps the database table ( s ) associated to the ACL Manager
2011-10-10 06:14:46 -07:00
* @ return 0 on success
2011-06-22 19:22:52 +02:00
*/
2011-10-10 06:14:46 -07:00
static int bootstrap ( SqlDB * _db ) ;
2011-06-22 19:22:52 +02:00
/**
2011-06-27 18:41:16 +02:00
* Dumps the rule set in XML format .
* @ param oss The output stream to dump the rule set contents
2011-06-22 19:22:52 +02:00
* @ return 0 on success
*/
2020-07-02 22:42:10 +02:00
virtual int dump ( std : : ostringstream & oss ) ;
2011-06-22 19:22:52 +02:00
2011-07-05 16:32:18 +02:00
protected :
2014-01-30 11:41:56 +01:00
/**
* Constructor for derived ACL managers . Classes derived from this one
* will operate in a stand - alone fashion ( i . e . no refresh of ACL rules
* from DB )
*/
AclManager ( int _zone_id )
2020-07-24 16:00:59 +02:00
: zone_id ( _zone_id )
, db ( 0 )
, is_federation_slave ( false )
, timer_period ( - 1 )
2014-01-30 11:41:56 +01:00
{
} ;
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-30 11:41:27 +02:00
// ACL rules management
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-29 18:41:49 +02:00
/**
* ACL rules . Each rule is indexed by its ' user ' long long attibute ,
* several rules can apply to the same user
*/
2020-07-02 22:42:10 +02:00
std : : multimap < long long , AclRule * > acl_rules ;
2011-06-22 19:22:52 +02:00
2011-06-29 18:41:49 +02:00
/**
* Rules indexed by oid . Stores the same rules as acl_rules
*/
2020-07-02 22:42:10 +02:00
std : : map < int , AclRule * > acl_rules_oids ;
2011-06-29 18:41:49 +02:00
2011-07-05 16:32:18 +02:00
private :
2011-06-29 12:50:16 +02:00
/**
* Gets all rules that apply to the user_req and , if any of them grants
* permission , returns true .
*
* @ param user_req user / group id and flags
* @ param resource_oid_req 64 bit request , ob . type and individual oid
* @ param resource_gid_req 64 bit request , ob . type and group id
2013-01-16 18:27:36 +01:00
* @ param resource_cid_req 64 bit request , ob . type and cluster id
2011-06-29 12:50:16 +02:00
* @ param resource_all_req 64 bit request , ob . type and all flag
* @ param rights_req Requested rights
* @ param individual_obj_type Mask with ob . type and individual flags
2011-12-30 16:27:42 +01:00
* @ param group_obj_type Mask with ob . type and group flags
2013-01-16 18:27:36 +01:00
* @ param cluster_obj_type Mask with ob . type and cluster flags
2011-12-30 16:27:42 +01:00
* @ param rules ACL rules to match
2011-06-29 12:50:16 +02:00
*
* @ return true if any rule grants permission
*/
bool match_rules (
2020-07-02 22:42:10 +02:00
long long user_req ,
long long resource_oid_req ,
long long resource_gid_req ,
const std : : set < long long > & resource_cid_req ,
long long resource_all_req ,
long long rights_req ,
long long resource_oid_mask ,
long long resource_gid_mask ,
long long resource_cid_mask ,
2020-09-05 19:29:49 +02:00
const std : : multimap < long long , AclRule * > & rules ) const ;
2011-12-30 16:27:42 +01:00
/**
* Wrapper for match_rules . It will check if any rules in the temporary
* multimap or in the internal one grants permission .
*
* @ param user_req user / group id and flags
* @ param resource_oid_req 64 bit request , ob . type and individual oid
* @ param resource_gid_req 64 bit request , ob . type and group id
2013-01-16 18:27:36 +01:00
* @ param resource_cid_req 64 bit request , ob . type and cluster id
2011-12-30 16:27:42 +01:00
* @ param resource_all_req 64 bit request , ob . type and all flag
* @ param rights_req Requested rights
* @ param individual_obj_type Mask with ob . type and individual flags
* @ param group_obj_type Mask with ob . type and group flags
2013-01-16 18:27:36 +01:00
* @ param cluster_obj_type Mask with ob . type and cluster flags
2011-12-30 16:27:42 +01:00
* @ param tmp_rules Temporary map group of ACL rules
*
* @ return true if any rule grants permission
*/
bool match_rules_wrapper (
2020-07-02 22:42:10 +02:00
long long user_req ,
long long resource_oid_req ,
long long resource_gid_req ,
const std : : set < long long > & resource_cid_req ,
long long resource_all_req ,
long long rights_req ,
long long individual_obj_type ,
long long group_obj_type ,
long long cluster_obj_type ,
2020-09-05 19:29:49 +02:00
const std : : multimap < long long , AclRule * > & tmp_rules ) const ;
2012-04-11 14:45:46 +02:00
/**
* Deletes all rules that match the user mask
*
* @ param user_req Mask to match
*/
void del_user_matching_rules ( long long user_req ) ;
2012-04-16 15:06:06 +02:00
/**
* Deletes all rules that match the resource mask
*
* @ param resource_req 64 bit request , ob . type and group id
* @ param resource_mask Mask with ob . type and group flags
*/
void del_resource_matching_rules (
long long resource_req ,
long long resource_mask ) ;
2014-02-21 15:23:24 +01:00
/**
* Deletes all rules that match the zone mask
*
* @ param zone_req Mask to match
*/
void del_zone_matching_rules ( long long zone_req ) ;
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2014-01-24 18:50:09 +01:00
// Local zone
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2014-01-24 18:50:09 +01:00
int zone_id ;
2014-01-21 12:52:25 +01:00
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-30 11:41:27 +02:00
// Mutex synchronization
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-30 11:41:27 +02:00
2020-09-05 19:29:49 +02:00
mutable std : : mutex acl_mutex ;
2011-06-30 11:41:27 +02:00
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-27 18:41:16 +02:00
// DataBase implementation variables
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2011-06-27 18:41:16 +02:00
/**
* Pointer to the database .
*/
SqlDB * db ;
2011-06-22 19:22:52 +02:00
2011-06-27 18:41:16 +02:00
/**
* Callback function to unmarshall the ACL rules
* @ param num the number of columns read from the DB
* @ param names the column names
* @ param vaues the column values
* @ return 0 on success
*/
int select_cb ( void * nil , int num , char * * values , char * * names ) ;
/**
* Reads the ACL rule set from the database .
* @ param db pointer to the db
* @ return 0 on success
*/
int select ( ) ;
/**
* Inserts the ACL rule in the database .
* @ param rule to insert
* @ return 0 on success
*/
2011-07-04 19:14:43 +02:00
int insert ( AclRule * rule )
{
return insert ( rule , db ) ;
} ;
/**
* Inserts the ACL rule in the database .
* @ param rule to insert
* @ db db pointer
*
* @ return 0 on success
*/
static int insert ( AclRule * rule , SqlDB * db ) ;
2011-06-27 18:41:16 +02:00
/**
* Drops an ACL rule from the database
2011-06-29 18:41:49 +02:00
*
* @ param oid Rule id
2011-06-27 18:41:16 +02:00
* @ return 0 on success
*/
2011-06-29 18:41:49 +02:00
int drop ( int oid ) ;
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2014-01-27 17:44:27 +01:00
// Refresh loop thread
2017-05-08 23:57:51 +02:00
// -------------------------------------------------------------------------
2014-01-27 17:44:27 +01:00
/**
* Flag to refresh the cache periodically
*/
2014-01-30 11:41:56 +01:00
bool is_federation_slave ;
2014-01-27 17:44:27 +01:00
/**
* Timer period for the cache refresh loop .
*/
time_t timer_period ;
/**
2020-07-24 16:00:59 +02:00
* Timer action async execution
2014-01-27 17:44:27 +01:00
*/
2020-07-24 16:00:59 +02:00
std : : unique_ptr < Timer > timer_thread ;
2014-01-27 17:44:27 +01:00
2017-02-03 14:19:15 +01:00
// -------------------------------------------------------------------------
// Action Listener interface
// -------------------------------------------------------------------------
2020-07-24 16:00:59 +02:00
void timer_action ( )
2017-02-03 14:19:15 +01:00
{
select ( ) ;
} ;
2011-06-22 19:22:52 +02:00
} ;
# endif /*ACL_MANAGER_H*/