shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-22 18:50:08 +03:00
Code Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into feature-1713

Browse Source
This commit is contained in:
Carlos Martín 2013-09-02 15:45:43 +02:00
commit 00525bf5c9
48 changed files with 1852 additions and 1803 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/AclManager.h
View File

@ -58,13 +58,13 @@ public:
* authorizes the operation.
*
* @param uid The user ID requesting to be authorized
* @param gid Group ID of the user
* @param user_groups Set of group IDs that the user is part of
* @param obj_perms The object's permission attributes
* @param op The operation to be authorized
* @return true if the authorization is granted by any rule
*/
const bool authorize(int uid,
int gid,
const set<int>& user_groups,
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op);
@ -128,7 +128,7 @@ public:
* the given user to perform the operation.
*
* @param uid The user ID
* @param gid Group ID of the user
* @param user_groups Set of group IDs that the user is part of
* @param obj_type The object over which the search will be performed
* @param op The operation to be searched
* @param all True if the user can perform the operation over any object
@ -137,7 +137,7 @@ public:
* @param cids Set of object cluster IDs over which the user can operate
*/
void reverse_search(int uid,
int gid,
const set<int>& user_groups,
PoolObjectSQL::ObjectType obj_type,
AuthRequest::Operation op,
bool& all,

7
include/AuthRequest.h
View File

@ -18,6 +18,7 @@
#define AUTH_REQUEST_H_
#include <time.h>
#include <set>
#include "ActionManager.h"
#include "PoolObjectAuth.h"
@ -36,7 +37,7 @@ using namespace std;
class AuthRequest : public SyncRequest
{
public:
AuthRequest(int _uid, int _gid): uid(_uid),gid(_gid),self_authorize(true){};
AuthRequest(int _uid, set<int> _gids): uid(_uid),gids(_gids),self_authorize(true){};
~AuthRequest(){};
@ -158,9 +159,9 @@ private:
int uid;
/**
* The user group ID
* The user groups ID set
*/
int gid;
set<int> gids;
/**
* Username to authenticate the user

20
include/PoolSQL.h
View File

@ -20,6 +20,7 @@
#include <map>
#include <string>
#include <queue>
#include <set>
#include "SqlDB.h"
#include "PoolObjectSQL.h"
@ -180,30 +181,31 @@ public:
* Creates a filter for those objects (oids) or objects owned by a given
* group that an user can access based on the ACL rules
* @param uid the user id
* @param gid the group id
* @param user_groups Set of group IDs that the user is part of
* @param auth_object object type
* @param all returns if the user can access all objects
* @param filter the resulting filter string
*/
static void acl_filter(int uid,
int gid,
const set<int>& user_groups,
PoolObjectSQL::ObjectType auth_object,
bool& all,
string& filter);
/**
* Creates a filter for the objects owned by a given user/group
* @param uid the user id
* @param gid the group id
* @param user_groups Set of group IDs that the user is part of
* @param filter_flag query type (ALL, MINE, GROUP)
* @param all user can access all objects
* @param filter the resulting filter string
*/
static void usr_filter(int uid,
int gid,
int filter_flag,
bool all,
const string& acl_str,
string& filter);
static void usr_filter(int uid,
const set<int>& user_groups,
int filter_flag,
bool all,
const string& acl_str,
string& filter);
/**
* Creates a filter for a given set of objects based on their id
* @param start_id first id

2
include/Request.h
View File

@ -73,6 +73,8 @@ protected:
string uname; /**< name of the user */
string gname; /**< name of the user's group */
set<int> group_ids; /**< set of user's group ids */
string session; /**< Session from ONE XML-RPC API */
int req_id; /**< Request ID for log messages */

88
include/RequestManagerUser.h
View File

@ -45,8 +45,9 @@ protected:
/* -------------------------------------------------------------------- */
void request_execute(xmlrpc_c::paramList const& _paramList,
RequestAttributes& att);
void request_execute(
xmlrpc_c::paramList const& _paramList,
RequestAttributes& att);
virtual int user_action(int user_id,
xmlrpc_c::paramList const& _paramList,
@ -72,7 +73,7 @@ public:
~UserChangePassword(){};
int user_action(int user_id,
xmlrpc_c::paramList const& _paramList,
xmlrpc_c::paramList const& _paramList,
string& err);
void log_xmlrpc_param(
@ -124,10 +125,89 @@ public:
~UserSetQuota(){};
int user_action(int user_id,
xmlrpc_c::paramList const& _paramList,
xmlrpc_c::paramList const& _paramList,
string& err);
};
/* ------------------------------------------------------------------------- */
/* ------------------------------------------------------------------------- */
class UserEditGroup : public Request
{
public:
UserEditGroup(
const string& method_name,
const string& help,
const string& params):
Request(method_name,params,help)
{
auth_object = PoolObjectSQL::USER;
auth_op = AuthRequest::MANAGE;
Nebula& nd = Nebula::instance();
gpool = nd.get_gpool();
upool = nd.get_upool();
};
~UserEditGroup(){};
void request_execute(
xmlrpc_c::paramList const& _paramList,
RequestAttributes& att);
protected:
virtual int secondary_group_action(
int user_id,
int group_id,
xmlrpc_c::paramList const& _paramList,
string& error_str) = 0;
GroupPool * gpool;
UserPool * upool;
};
/* ------------------------------------------------------------------------- */
/* ------------------------------------------------------------------------- */
class UserAddGroup : public UserEditGroup
{
public:
UserAddGroup():
UserEditGroup("UserAddGroup",
"Adds the user to a secondary group",
"A:sii"){};
~UserAddGroup(){};
int secondary_group_action(
int user_id,
int group_id,
xmlrpc_c::paramList const& _paramList,
string& error_str);
};
/* ------------------------------------------------------------------------- */
/* ------------------------------------------------------------------------- */
class UserDelGroup : public UserEditGroup
{
public:
UserDelGroup():
UserEditGroup("UserDelGroup",
"Deletes the user from a secondary group",
"A:sii"){};
~UserDelGroup(){};
int secondary_group_action(
int user_id,
int group_id,
xmlrpc_c::paramList const& _paramList,
string& error_str);
};
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */

45
include/User.h
View File

@ -20,6 +20,7 @@
#include "PoolSQL.h"
#include "UserTemplate.h"
#include "Quotas.h"
#include "ObjectCollection.h"
using namespace std;
@ -29,7 +30,7 @@ using namespace std;
/**
* The User class.
*/
class User : public PoolObjectSQL
class User : public PoolObjectSQL, public ObjectCollection
{
public:
@ -180,6 +181,47 @@ public:
*/
int get_umask() const;
/**
* Returns a copy of the groups for the user
*/
set<int> get_groups()
{
return get_collection_copy();
};
// *************************************************************************
// Group IDs set Management
// *************************************************************************
/**
* Adds a group ID to the groups set.
*
* @param id The new id
* @return 0 on success, -1 if the ID was already in the set
*/
int add_group(int group_id)
{
return add_collection_id(group_id);
}
/**
* Deletes a group ID from the groups set.
*
* @param id The id
* @return 0 on success,
* -1 if the ID was not in the set,
* -2 if the group to delete is the main group
*/
int del_group(int group_id)
{
if( group_id == gid )
{
return -2;
}
return del_collection_id(group_id);
}
private:
// -------------------------------------------------------------------------
// Friends
@ -310,6 +352,7 @@ protected:
const string& _auth_driver,
bool _enabled):
PoolObjectSQL(id,USER,_uname,-1,_gid,"",_gname,table),
ObjectCollection("GROUPS"),
quota("/USER/DATASTORE_QUOTA",
"/USER/NETWORK_QUOTA",
"/USER/IMAGE_QUOTA",

23
include/UserPool.h
View File

@ -124,6 +124,7 @@ public:
* @param gid of the user if authN succeeded -1 otherwise
* @param uname of the user if authN succeeded "" otherwise
* @param gname of the group if authN succeeded "" otherwise
* @param group_ids the user groups if authN succeeded, is empty otherwise
*
* @return false if authn failed, true otherwise
*/
@ -131,7 +132,8 @@ public:
int& uid,
int& gid,
string& uname,
string& gname);
string& gname,
set<int>& group_ids);
/**
* Returns whether the operations described in a authorization request are
* authorized ot not.
@ -217,7 +219,8 @@ private:
int& user_id,
int& group_id,
string& uname,
string& gname);
string& gname,
set<int>& group_ids);
/**
* Function to authenticate internal users using a server driver
@ -227,18 +230,20 @@ private:
int& user_id,
int& group_id,
string& uname,
string& gname);
string& gname,
set<int>& group_ids);
/**
* Function to authenticate external (not known) users
*/
bool authenticate_external(const string& username,
const string& token,
int& user_id,
int& group_id,
string& uname,
string& gname);
bool authenticate_external(const string& username,
const string& token,
int& user_id,
int& group_id,
string& uname,
string& gname,
set<int>& group_ids);
/**
* Factory method to produce User objects
* @return a pointer to the new User

1
install.sh
View File

@ -1132,6 +1132,7 @@ ONEDB_MIGRATOR_FILES="src/onedb/2.0_to_2.9.80.rb \
src/onedb/4.0.0_to_4.0.1.rb \
src/onedb/4.0.1_to_4.1.80.rb \
src/onedb/4.1.80_to_4.2.0.rb \
src/onedb/4.2.0_to_4.3.80.rb \
src/onedb/fsck.rb \
src/onedb/onedb.rb \
src/onedb/onedb_backend.rb"

7
share/doc/xsd/user.xsd
View File

@ -6,6 +6,13 @@
<xs:sequence>
<xs:element name="ID" type="xs:integer"/>
<xs:element name="GID" type="xs:integer"/>
<xs:element name="GROUPS">
<xs:complexType>
<xs:sequence>
<xs:element name="ID" type="xs:integer" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="GNAME" type="xs:string"/>
<xs:element name="NAME" type="xs:string"/>
<xs:element name="PASSWORD" type="xs:string"/>

7
share/doc/xsd/user_pool.xsd
View File

@ -10,6 +10,13 @@
<xs:sequence>
<xs:element name="ID" type="xs:integer"/>
<xs:element name="GID" type="xs:integer"/>
<xs:element name="GROUPS">
<xs:complexType>
<xs:sequence>
<xs:element name="ID" type="xs:integer" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="GNAME" type="xs:string"/>
<xs:element name="NAME" type="xs:string"/>
<xs:element name="PASSWORD" type="xs:string"/>

63
src/acl/AclManager.cc
View File

@ -132,7 +132,7 @@ AclManager::~AclManager()
const bool AclManager::authorize(
int uid,
int gid,
const set<int>& user_groups,
const PoolObjectAuth& obj_perms,
AuthRequest::Operation op)
{
@ -280,23 +280,28 @@ const bool AclManager::authorize(
}
// ----------------------------------------------------------
// Look for rules that apply to the user's group
// Look for rules that apply to each one of the user's groups
// ----------------------------------------------------------
user_req = AclRule::GROUP_ID | gid;
auth = match_rules_wrapper(user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
resource_oid_mask,
resource_gid_mask,
resource_cid_mask,
tmp_rules);
if ( auth == true )
set<int>::iterator g_it;
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
{
return true;
user_req = AclRule::GROUP_ID | *g_it;
auth = match_rules_wrapper(user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
resource_oid_mask,
resource_gid_mask,
resource_cid_mask,
tmp_rules);
if ( auth == true )
{
return true;
}
}
oss.str("No more rules, permission not granted ");
@ -716,7 +721,7 @@ void AclManager::del_resource_matching_rules(long long resource_req,
/* -------------------------------------------------------------------------- */
void AclManager::reverse_search(int uid,
int gid,
const set<int>& user_groups,
PoolObjectSQL::ObjectType obj_type,
AuthRequest::Operation op,
bool& all,
@ -764,22 +769,30 @@ void AclManager::reverse_search(int uid,
// Look for the rules that match
// ---------------------------------------------------
long long user_reqs[] =
vector<long long> user_reqs;
vector<long long>::iterator reqs_it;
set<int>::iterator g_it;
// rules that apply to everyone
user_reqs.push_back(AclRule::ALL_ID);
// rules that apply to the individual user id
user_reqs.push_back(AclRule::INDIVIDUAL_ID | uid);
// rules that apply to each one of the user's groups
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
{
AclRule::ALL_ID, // rules that apply to everyone
AclRule::INDIVIDUAL_ID | uid, // rules that apply to the individual user id
AclRule::GROUP_ID | gid // rules that apply to the user's groups
};
user_reqs.push_back(AclRule::GROUP_ID | *g_it);
}
all = false;
for ( int i=0; i<3; i++ )
for (reqs_it = user_reqs.begin(); reqs_it != user_reqs.end(); reqs_it++)
{
long long user_req = user_reqs[i];
lock();
index = acl_rules.equal_range( user_req );
index = acl_rules.equal_range( *reqs_it );
for ( it = index.first; it != index.second; it++)
{

4
src/authm/AuthManager.cc
View File

@ -67,7 +67,7 @@ void AuthRequest::add_auth(Operation op,
// Default conditions that grants permission :
// User is oneadmin, or is in the oneadmin group
if ( uid == 0 || gid == GroupPool::ONEADMIN_ID )
if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
{
auth = true;
}
@ -76,7 +76,7 @@ void AuthRequest::add_auth(Operation op,
Nebula& nd = Nebula::instance();
AclManager* aclm = nd.get_aclm();
auth = aclm->authorize(uid, gid, ob_perms, op);
auth = aclm->authorize(uid, gids, ob_perms, op);
}
oss << auth; // Store the ACL authorization result in the request

4
src/cli/one_helper/oneuser_helper.rb
View File

@ -245,13 +245,15 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
def format_resource(user, options = {})
system = System.new(@client)
str="%-15s: %-20s"
str="%-16s: %-20s"
str_h1="%-80s"
CLIHelper.print_header(str_h1 % "USER #{user['ID']} INFORMATION")
puts str % ["ID", user.id.to_s]
puts str % ["NAME", user.name]
puts str % ["GROUP", user['GNAME']]
groups = user.retrieve_elements("GROUPS/ID")
puts str % ["SECONDARY GROUPS", groups.join(',') ] if groups.size > 1
puts str % ["PASSWORD", user['PASSWORD']]
puts str % ["AUTH_DRIVER", user['AUTH_DRIVER']]

26
src/cli/oneuser
View File

@ -380,7 +380,7 @@ cmd=CommandParser::CmdParser.new(ARGV) do
end
chgrp_desc = <<-EOT.unindent
Changes the User's main group
Changes the User's primary group
EOT
command :chgrp, chgrp_desc, [:range, :userid_list], :groupid do
@ -389,6 +389,30 @@ cmd=CommandParser::CmdParser.new(ARGV) do
end
end
addgroup_desc = <<-EOT.unindent
Adds the User to a secondary group
EOT
command :addgroup, addgroup_desc, [:range, :userid_list], :groupid do
gid = args[1]
helper.perform_actions(args[0],options,"group added") do |user|
user.addgroup( gid )
end
end
delgroup_desc = <<-EOT.unindent
Removes the User from a secondary group
EOT
command :delgroup, delgroup_desc, [:range, :userid_list], :groupid do
gid = args[1]
helper.perform_actions(args[0],options,"group deleted") do |user|
user.delgroup( gid )
end
end
chauth_desc = <<-EOT.unindent
Changes the User's auth driver and its password (optional)
Examples:

52
src/oca/java/src/org/opennebula/client/user/User.java
View File

@ -36,6 +36,8 @@ public class User extends PoolElement{
private static final String CHAUTH = METHOD_PREFIX + "chauth";
private static final String UPDATE = METHOD_PREFIX + "update";
private static final String QUOTA = METHOD_PREFIX + "quota";
private static final String ADDGROUP = METHOD_PREFIX + "addgroup";
private static final String DELGROUP = METHOD_PREFIX + "delgroup";
/**
* Creates a new User representation.
@ -146,6 +148,33 @@ public class User extends PoolElement{
return client.call(CHGRP, id, gid);
}
/**
* Adds the User to a secondary group
*
* @param client XML-RPC Client.
* @param id The user id (uid) of the target user we want to modify.
* @param gid The new group ID.
* @return If an error occurs the error message contains the reason.
*/
public static OneResponse addgroup(Client client, int id, int gid)
{
return client.call(ADDGROUP, id, gid);
}
/**
* Removes the User from a secondary group. Fails if the
* group is the main one
*
* @param client XML-RPC Client.
* @param id The user id (uid) of the target user we want to modify.
* @param gid The group ID.
* @return If an error occurs the error message contains the reason.
*/
public static OneResponse delgroup(Client client, int id, int gid)
{
return client.call(DELGROUP, id, gid);
}
/**
* Changes the auth driver and the password of the given user
*
@ -242,6 +271,29 @@ public class User extends PoolElement{
return chgrp(client, id, gid);
}
/**
* Adds the User to a secondary group
*
* @param gid The new group ID.
* @return If an error occurs the error message contains the reason.
*/
public OneResponse addgroup(int gid)
{
return addgroup(client, id, gid);
}
/**
* Removes the User from a secondary group. Fails if the
* group is the main one
*
* @param gid The group ID.
* @return If an error occurs the error message contains the reason.
*/
public OneResponse delgroup(int gid)
{
return delgroup(client, id, gid);
}
/**
* Changes the auth driver and the password of the given user
*

21
src/oca/ruby/opennebula/user.rb
View File

@ -29,6 +29,8 @@ module OpenNebula
:delete => "user.delete",
:passwd => "user.passwd",
:chgrp => "user.chgrp",
:addgroup => "user.addgroup",
:delgroup => "user.delgroup",
:update => "user.update",
:chauth => "user.chauth",
:quota => "user.quota"
@ -124,7 +126,7 @@ module OpenNebula
return rc
end
# Changes the main group
# Changes the primary group
# gid:: _Integer_ the new group id. Set to -1 to leave the current one
# [return] nil in case of success or an Error object
def chgrp(gid)
@ -136,6 +138,23 @@ module OpenNebula
return rc
end
# Adds the User to a secondary group
# @param gid [Integer] the new group id.
# @return [nil, OpenNebula::Error] nil in case of success, Error
# otherwise
def addgroup(gid)
return call(USER_METHODS[:addgroup], @pe_id, gid)
end
# Removes the User from a secondary group. Fails if the
# group is the main one
# @param gid [Integer] the group id.
# @return [nil, OpenNebula::Error] nil in case of success, Error
# otherwise
def delgroup(gid)
return call(USER_METHODS[:delgroup], @pe_id, gid)
end
# Changes the auth driver and the password of the given User
#
# @param auth [String] the new auth driver

57
src/onedb/4.2.0_to_4.3.80.rb Normal file
View File

@ -0,0 +1,57 @@
# -------------------------------------------------------------------------- #
# Copyright 2002-2013, OpenNebula Project (OpenNebula.org), C12G Labs #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
require 'rexml/document'
module Migrator
def db_version
"4.3.80"
end
def one_version
"OpenNebula 4.3.80"
end
def up
########################################################################
# Feature #1742
########################################################################
@db.run "ALTER TABLE user_pool RENAME TO old_user_pool;"
@db.run "CREATE TABLE user_pool (oid INTEGER PRIMARY KEY, name VARCHAR(128), body MEDIUMTEXT, uid INTEGER, gid INTEGER, owner_u INTEGER, group_u INTEGER, other_u INTEGER, UNIQUE(name));"
@db.fetch("SELECT * FROM old_user_pool") do |row|
doc = REXML::Document.new(row[:body])
doc.root.add_element("GROUPS").add_element("ID").text = row[:gid].to_s
@db[:user_pool].insert(
:oid => row[:oid],
:name => row[:name],
:body => doc.root.to_s,
:uid => row[:oid],
:gid => row[:gid],
:owner_u => row[:owner_u],
:group_u => row[:group_u],
:other_u => row[:other_u])
end
@db.run "DROP TABLE old_user_pool;"
return true
end
end

40
src/onedb/fsck.rb
View File

@ -177,9 +177,10 @@ module OneDBFsck
gid = doc.root.get_text('GID').to_s.to_i
user_gid = gid
user_gids = Set.new
if group[gid].nil?
log_error("User #{row[:oid]} is in group #{gid}, but it does not exist")
log_error("User #{row[:oid]} has primary group #{gid}, but it does not exist")
user_gid = 1
@ -191,9 +192,44 @@ module OneDBFsck
e.text = "users"
end
doc.root.each_element("GROUPS") { |e|
e.elements.delete("ID[.=#{gid}]")
e.add_element("ID").text = user_gid.to_s
}
users_fix[row[:oid]] = {:body => doc.to_s, :gid => user_gid}
end
doc.root.each_element("GROUPS/ID") { |e|
user_gids.add e.text.to_i
}
if !user_gids.include?(user_gid)
log_error("User #{row[:oid]} does not have his primary group #{user_gid} in the list of secondary groups")
doc.root.each_element("GROUPS") { |e|
e.add_element("ID").text = user_gid.to_s
}
user_gids.add user_gid.to_i
users_fix[row[:oid]] = {:body => doc.to_s, :gid => user_gid}
end
user_gids.each do |secondary_gid|
if group[secondary_gid].nil?
log_error("User #{row[:oid]} has secondary group #{secondary_gid}, but it does not exist")
doc.root.each_element("GROUPS") { |e|
e.elements.delete("ID[.=#{secondary_gid}]")
}
users_fix[row[:oid]] = {:body => doc.to_s, :gid => user_gid}
else
group[secondary_gid] << row[:oid]
end
end
if gid != row[:gid]
log_error(
"User #{row[:oid]} is in group #{gid}, but the DB "<<
@ -201,8 +237,6 @@ module OneDBFsck
users_fix[row[:oid]] = {:body => doc.to_s, :gid => user_gid}
end
group[user_gid] << row[:oid]
end
users_fix.each do |id, user|

52
src/pool/PoolSQL.cc
View File

@ -579,14 +579,14 @@ int PoolSQL::search(
/* -------------------------------------------------------------------------- */
void PoolSQL::acl_filter(int uid,
int gid,
const set<int>& user_groups,
PoolObjectSQL::ObjectType auth_object,
bool& all,
string& filter)
{
filter.clear();
if ( uid == 0 || gid == 0 )
if ( uid == UserPool::ONEADMIN_ID || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 )
{
all = true;
return;
@ -603,7 +603,7 @@ void PoolSQL::acl_filter(int uid,
vector<int> cids;
aclm->reverse_search(uid,
gid,
user_groups,
auth_object,
AuthRequest::USE,
all,
@ -631,32 +631,43 @@ void PoolSQL::acl_filter(int uid,
/* -------------------------------------------------------------------------- */
void PoolSQL::usr_filter(int uid,
int gid,
int filter_flag,
bool all,
const string& acl_str,
string& filter)
void PoolSQL::usr_filter(int uid,
const set<int>& user_groups,
int filter_flag,
bool all,
const string& acl_str,
string& filter)
{
ostringstream uid_filter;
set<int>::iterator g_it;
if ( filter_flag == RequestManagerPoolInfoFilter::MINE )
{
uid_filter << "uid = " << uid;
}
else if ( filter_flag == RequestManagerPoolInfoFilter::MINE_GROUP )
{
uid_filter << " uid = " << uid
<< " OR ( gid = " << gid << " AND group_u = 1 )";
uid_filter << " uid = " << uid;
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
{
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
}
}
else if ( filter_flag == RequestManagerPoolInfoFilter::ALL )
{
if (!all)
{
uid_filter << " uid = " << uid
<< " OR ( gid = " << gid << " AND group_u = 1 )"
<< " OR other_u = 1"
<< acl_str;
<< " OR other_u = 1";
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
{
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
}
uid_filter << acl_str;
}
}
else
@ -665,11 +676,14 @@ void PoolSQL::usr_filter(int uid,
if ( filter_flag != uid && !all )
{
uid_filter << " AND ("
<< " ( gid = " << gid << " AND group_u = 1)"
<< " OR other_u = 1"
<< acl_str
<< ")";
uid_filter << " AND ( other_u = 1";
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
{
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
}
uid_filter << acl_str << ")";
}
}

5
src/rm/Request.cc
View File

@ -40,7 +40,8 @@ void Request::execute(
att.uid,
att.gid,
att.uname,
att.gname);
att.gname,
att.group_ids);
log_method_invoked(att, _paramList);
@ -240,7 +241,7 @@ bool Request::basic_authorization(int oid,
perms.obj_type = auth_object;
}
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(op, perms);

4
src/rm/RequestManager.cc
View File

@ -254,6 +254,8 @@ void RequestManager::register_xml_methods()
xmlrpc_c::methodPtr user_change_password(new UserChangePassword());
xmlrpc_c::methodPtr user_change_auth(new UserChangeAuth());
xmlrpc_c::methodPtr user_set_quota(new UserSetQuota());
xmlrpc_c::methodPtr user_add_group(new UserAddGroup());
xmlrpc_c::methodPtr user_del_group(new UserDelGroup());
// Group Methods
xmlrpc_c::methodPtr group_set_quota(new GroupSetQuota());
@ -493,6 +495,8 @@ void RequestManager::register_xml_methods()
RequestManagerRegistry.addMethod("one.user.info", user_info);
RequestManagerRegistry.addMethod("one.user.passwd", user_change_password);
RequestManagerRegistry.addMethod("one.user.chgrp", user_chown);
RequestManagerRegistry.addMethod("one.user.addgroup", user_add_group);
RequestManagerRegistry.addMethod("one.user.delgroup", user_del_group);
RequestManagerRegistry.addMethod("one.user.chauth", user_change_auth);
RequestManagerRegistry.addMethod("one.user.quota", user_set_quota);

6
src/rm/RequestManagerAllocate.cc
View File

@ -34,7 +34,7 @@ bool RequestManagerAllocate::allocate_authorization(
string tmpl_str = "";
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
if ( tmpl != 0 )
{
@ -73,7 +73,7 @@ bool VirtualMachineAllocate::allocate_authorization(
return true;
}
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
string t64;
string aname;
@ -459,7 +459,7 @@ void ImageAllocate::request_execute(xmlrpc_c::paramList const& params,
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
string aname;

2
src/rm/RequestManagerChmod.cc
View File

@ -108,7 +108,7 @@ void RequestManagerChmod::request_execute(xmlrpc_c::paramList const& paramList,
}
}
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(op, perms);

33
src/rm/RequestManagerChown.cc
View File

@ -213,7 +213,7 @@ void RequestManagerChown::request_execute(xmlrpc_c::paramList const& paramList,
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
rc = get_info(pool, oid, auth_object, att, operms, oname);
@ -317,6 +317,8 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
int rc;
bool remove_old_group;
string ngname;
string uname;
@ -363,7 +365,7 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, uperms); // MANAGE USER
ar.add_auth(AuthRequest::USE, ngperms); // USE GROUP
@ -399,6 +401,18 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
user->set_group(ngid,ngname);
// The user is removed from the old group only if the new group is not a
// secondary one
rc = user->add_group(ngid);
remove_old_group = (rc == 0);
if (remove_old_group)
{
user->del_group(old_gid);
}
upool->update(user);
user->unlock();
@ -423,15 +437,18 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
// ------------- Updates old group removing the user ---------------------
group = gpool->get(old_gid, true);
if( group != 0 )
if (remove_old_group)
{
group->del_user(oid);
group = gpool->get(old_gid, true);
gpool->update(group);
if( group != 0 )
{
group->del_user(oid);
group->unlock();
gpool->update(group);
group->unlock();
}
}
success_response(oid, att);

2
src/rm/RequestManagerClone.cc
View File

@ -79,7 +79,7 @@ void RequestManagerClone::request_execute(
{
string tmpl_str = "";
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms); //USE OBJECT

2
src/rm/RequestManagerCluster.cc
View File

@ -70,7 +70,7 @@ void RequestManagerCluster::add_generic(
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
if ( cluster_id != ClusterPool::NONE_CLUSTER_ID )
{

20
src/rm/RequestManagerDelete.cc
View File

@ -47,7 +47,7 @@ bool RequestManagerDelete::delete_authorization(
object->unlock();
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms); // <MANAGE|ADMIN> OBJECT
@ -227,8 +227,11 @@ int ClusterDelete::drop(int oid, PoolObjectSQL * object, string& error_msg)
int UserDelete::drop(int oid, PoolObjectSQL * object, string& error_msg)
{
User * user = static_cast<User *>(object);
int group_id = user->get_gid();
set<int> group_set;
set<int>::iterator it;
User * user = static_cast<User *>(object);
group_set = user->get_groups();
if (oid == 0)
{
@ -244,10 +247,17 @@ int UserDelete::drop(int oid, PoolObjectSQL * object, string& error_msg)
if ( rc == 0 )
{
Group * group = gpool->get(group_id, true);
Group * group;
if( group != 0 )
for ( it = group_set.begin(); it != group_set.end(); it++ )
{
group = gpool->get(*it, true);
if( group == 0 )
{
continue;
}
group->del_user(oid);
gpool->update(group);

2
src/rm/RequestManagerImage.cc
View File

@ -357,7 +357,7 @@ void ImageClone::request_execute(
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
string tmpl_str;
// ------------------ Check permissions and ACLs ----------------------

4
src/rm/RequestManagerPoolInfoFilter.cc
View File

@ -279,9 +279,9 @@ void RequestManagerPoolInfoFilter::where_filter(
ostringstream filter;
PoolSQL::acl_filter(att.uid, att.gid, auth_object, all, acl_str);
PoolSQL::acl_filter(att.uid, att.group_ids, auth_object, all, acl_str);
PoolSQL::usr_filter(att.uid, att.gid, filter_flag, all, acl_str, uid_str);
PoolSQL::usr_filter(att.uid, att.group_ids, filter_flag, all, acl_str, uid_str);
PoolSQL::oid_filter(start_id, end_id, oid_str);

2
src/rm/RequestManagerRename.cc
View File

@ -53,7 +53,7 @@ void RequestManagerRename::request_execute(xmlrpc_c::paramList const& paramList,
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, operms); // MANAGE OBJECT

183
src/rm/RequestManagerUser.cc
View File

@ -210,3 +210,186 @@ int UserSetQuota::user_action(int user_id,
return rc;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void UserEditGroup::
request_execute(xmlrpc_c::paramList const& paramList,
RequestAttributes& att)
{
int user_id = xmlrpc_c::value_int(paramList.getInt(1));
int group_id = xmlrpc_c::value_int(paramList.getInt(2));
int rc;
string error_str;
string gname;
string uname;
PoolObjectAuth uperms;
PoolObjectAuth gperms;
rc = get_info(upool, user_id, PoolObjectSQL::USER, att, uperms, uname);
if ( rc == -1 )
{
return;
}
rc = get_info(gpool, group_id, PoolObjectSQL::GROUP, att, gperms, gname);
if ( rc == -1 )
{
return;
}
if ( att.uid != UserPool::ONEADMIN_ID )
{
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(AuthRequest::MANAGE, uperms); // MANAGE USER
ar.add_auth(AuthRequest::MANAGE, gperms); // MANAGE GROUP
if (UserPool::authorize(ar) == -1)
{
failure_response(AUTHORIZATION,
authorization_error(ar.message, att),
att);
return;
}
}
if ( secondary_group_action(user_id, group_id, paramList, error_str) < 0 )
{
failure_response(ACTION, request_error(error_str,""), att);
return;
}
success_response(user_id, att);
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
int UserAddGroup::secondary_group_action(
int user_id,
int group_id,
xmlrpc_c::paramList const& _paramList,
string& error_str)
{
User * user;
Group * group;
int rc;
user = upool->get(user_id,true);
if ( user == 0 )
{
return -1;
}
rc = user->add_group(group_id);
if ( rc != 0 )
{
user->unlock();
error_str = "User is already in this group";
return -1;
}
upool->update(user);
user->unlock();
group = gpool->get(group_id, true);
if( group == 0 )
{
user = upool->get(user_id,true);
if ( user != 0 )
{
user->del_group(group_id);
upool->update(user);
user->unlock();
}
error_str = "Group does not exist";
return -1;
}
group->add_user(user_id);
gpool->update(group);
group->unlock();
return 0;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
int UserDelGroup::secondary_group_action(
int user_id,
int group_id,
xmlrpc_c::paramList const& _paramList,
string& error_str)
{
User * user;
Group * group;
int rc;
user = upool->get(user_id,true);
rc = user->del_group(group_id);
if ( rc != 0 )
{
user->unlock();
if ( rc == -1 )
{
error_str = "User is not part of this group";
}
else if ( rc == -2 )
{
error_str = "Cannot remove user from the primary group";
}
else
{
error_str = "Cannot remove user from group";
}
return rc;
}
upool->update(user);
user->unlock();
group = gpool->get(group_id, true);
if( group == 0 )
{
//Group does not exist, should never occur
error_str = "Cannot remove user from group";
return -1;
}
group->del_user(user_id);
gpool->update(group);
group->unlock();
return 0;
}

2
src/rm/RequestManagerVMTemplate.cc
View File

@ -177,7 +177,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
if ( att.uid != 0 )
{
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(auth_op, perms); //USE TEMPLATE

2
src/rm/RequestManagerVirtualMachine.cc
View File

@ -55,7 +55,7 @@ bool RequestManagerVirtualMachine::vm_authorization(
object->unlock();
AuthRequest ar(att.uid, att.gid);
AuthRequest ar(att.uid, att.group_ids);
ar.add_auth(op, vm_perms);

8
src/scheduler/src/sched/Scheduler.cc
View File

@ -431,8 +431,14 @@ void Scheduler::match()
host_perms.oid = host->get_hid();
host_perms.obj_type = PoolObjectSQL::HOST;
// Even if the owner is in several groups, this request only
// uses the VM group ID
set<int> gids;
gids.insert(gid);
matched = acls->authorize(uid,
gid,
gids,
host_perms,
AuthRequest::MANAGE);
}

2
src/sunstone/public/js/plugins/files-tab.js
View File

@ -353,7 +353,7 @@ var file_actions = {
type: "single",
call: OpenNebula.Image.rename,
callback: function(request) {
notifyMessage("File renamed correctly");
notifyMessage(tr("File renamed correctly"));
Sunstone.runAction('Image.showinfo',request.request.data[0]);
Sunstone.runAction('Image.list');
},

2
src/sunstone/public/js/plugins/images-tab.js
View File

@ -522,7 +522,7 @@ var image_actions = {
type: "single",
call: OpenNebula.Image.rename,
callback: function(request) {
notifyMessage("Image renamed correctly");
notifyMessage(tr("Image renamed correctly"));
Sunstone.runAction('Image.showinfo',request.request.data[0]);
Sunstone.runAction('Image.list');
},

1
src/sunstone/public/js/plugins/templates-tab.js
View File

@ -381,6 +381,7 @@ var template_actions = {
type: "single",
call: OpenNebula.Template.rename,
callback: function(request) {
notifyMessage(tr("Template renamed correctly"));
Sunstone.runAction('Template.showinfo',request.request.data[0]);
Sunstone.runAction("Template.show",request.request.data[0]);
},

2
src/sunstone/public/js/plugins/vms-tab.js
View File

@ -819,7 +819,7 @@ var vm_actions = {
type: "single",
call: OpenNebula.VM.rename,
callback: function(request) {
notifyMessage("VirtualMachine renamed correctly");
notifyMessage(tr("VirtualMachine renamed correctly"));
Sunstone.runAction('VM.showinfo',request.request.data[0]);
Sunstone.runAction("VM.list");
},

2
src/sunstone/public/js/plugins/vnets-tab.js
View File

@ -617,7 +617,7 @@ var vnet_actions = {
type: "single",
call: OpenNebula.Network.rename,
callback: function(request) {
notifyMessage("VirtualNetwork renamed correctly");
notifyMessage(tr("VirtualNetwork renamed correctly"));
Sunstone.runAction('Network.showinfo',request.request.data[0]);
Sunstone.runAction("Network.list");
},

19
src/um/User.cc
View File

@ -156,6 +156,9 @@ string& User::to_xml_extended(string& xml, bool extended) const
string template_xml;
string quota_xml;
string collection_xml;
ObjectCollection::to_xml(collection_xml);
int enabled_int = enabled?1:0;
@ -163,6 +166,7 @@ string& User::to_xml_extended(string& xml, bool extended) const
"<USER>"
"<ID>" << oid <<"</ID>" <<
"<GID>" << gid <<"</GID>" <<
collection_xml <<
"<GNAME>" << gname <<"</GNAME>" <<
"<NAME>" << name <<"</NAME>" <<
"<PASSWORD>" << password <<"</PASSWORD>" <<
@ -220,7 +224,22 @@ int User::from_xml(const string& xml)
rc += obj_template->from_xml_node(content[0]);
ObjectXML::free_nodes(content);
content.clear();
ObjectXML::get_nodes("/USER/GROUPS", content);
if (content.empty())
{
return -1;
}
// Set of IDs
rc += ObjectCollection::from_xml_node(content[0]);
ObjectXML::free_nodes(content);
content.clear();
// Quotas
rc += quota.from_xml(this);
if (rc != 0)

50
src/um/UserPool.cc
View File

@ -293,6 +293,9 @@ int UserPool::allocate (
// Build a new User object
user = new User(-1, gid, uname, gname, upass, auth_driver, enabled);
// Add the primary group to the collection
user->add_collection_id(gid);
// Set a password for the OneGate tokens
user->add_template_attribute("TOKEN_PASSWORD", one_util::random_password());
@ -348,7 +351,8 @@ bool UserPool::authenticate_internal(User * user,
int& user_id,
int& group_id,
string& uname,
string& gname)
string& gname,
set<int>& group_ids)
{
bool result = false;
@ -367,6 +371,8 @@ bool UserPool::authenticate_internal(User * user,
user_id = user->oid;
group_id = user->gid;
group_ids = user->get_groups();
uname = user->name;
gname = user->gname;
@ -381,7 +387,7 @@ bool UserPool::authenticate_internal(User * user,
return true;
}
AuthRequest ar(user_id, group_id);
AuthRequest ar(user_id, group_ids);
if ( auth_driver == UserPool::CORE_AUTH )
{
@ -445,6 +451,8 @@ auth_failure:
user_id = -1;
group_id = -1;
group_ids.clear();
uname = "";
gname = "";
@ -459,7 +467,8 @@ bool UserPool::authenticate_server(User * user,
int& user_id,
int& group_id,
string& uname,
string& gname)
string& gname,
set<int>& group_ids)
{
bool result = false;
@ -480,7 +489,7 @@ bool UserPool::authenticate_server(User * user,
auth_driver = user->auth_driver;
AuthRequest ar(user->oid, user->gid);
AuthRequest ar(user->oid, user->get_groups());
user->unlock();
@ -502,6 +511,8 @@ bool UserPool::authenticate_server(User * user,
user_id = user->oid;
group_id = user->gid;
group_ids = user->get_groups();
uname = user->name;
gname = user->gname;
@ -571,6 +582,8 @@ auth_failure:
user_id = -1;
group_id = -1;
group_ids.clear();
uname = "";
gname = "";
@ -580,12 +593,13 @@ auth_failure:
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool UserPool::authenticate_external(const string& username,
const string& token,
int& user_id,
int& group_id,
string& uname,
string& gname)
bool UserPool::authenticate_external(const string& username,
const string& token,
int& user_id,
int& group_id,
string& uname,
string& gname,
set<int>& group_ids)
{
ostringstream oss;
istringstream is;
@ -598,7 +612,9 @@ bool UserPool::authenticate_external(const string& username,
Nebula& nd = Nebula::instance();
AuthManager * authm = nd.get_authm();
AuthRequest ar(-1,-1);
set<int> empty_set;
AuthRequest ar(-1,empty_set);
if (authm == 0)
{
@ -653,6 +669,7 @@ bool UserPool::authenticate_external(const string& username,
}
group_id = GroupPool::USERS_ID;
group_ids.insert( GroupPool::USERS_ID );
uname = mad_name;
gname = GroupPool::USERS_NAME;
@ -681,6 +698,8 @@ auth_failure:
user_id = -1;
group_id = -1;
group_ids.clear();
uname = "";
gname = "";
@ -694,7 +713,8 @@ bool UserPool::authenticate(const string& session,
int& user_id,
int& group_id,
string& uname,
string& gname)
string& gname,
set<int>& group_ids)
{
User * user = 0;
string username;
@ -718,16 +738,16 @@ bool UserPool::authenticate(const string& session,
if ( fnmatch(UserPool::SERVER_AUTH, driver.c_str(), 0) == 0 )
{
ar = authenticate_server(user,token,user_id,group_id,uname,gname);
ar = authenticate_server(user,token,user_id,group_id,uname,gname,group_ids);
}
else
{
ar = authenticate_internal(user,token,user_id,group_id,uname,gname);
ar = authenticate_internal(user,token,user_id,group_id,uname,gname,group_ids);
}
}
else
{
ar = authenticate_external(username,token,user_id,group_id,uname,gname);
ar = authenticate_external(username,token,user_id,group_id,uname,gname,group_ids);
}
return ar;

827
src/vm/vm_file_var_syntax.cc
View File

File diff suppressed because it is too large Load Diff

65
src/vm/vm_file_var_syntax.h
View File

@ -1,19 +1,19 @@
/* A Bison parser, made by GNU Bison 2.7.12-4996. */
/* A Bison parser, made by GNU Bison 3.0. */
/* Bison interface for Yacc-like parsers in C
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
@ -26,13 +26,13 @@
special exception, which will cause the skeleton and the resulting
Bison output files to be licensed under the GNU General Public
License without this special exception.
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
#ifndef YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED
# define YY_VM_FILE_VAR_VM_FILE_VAR_SYNTAX_HH_INCLUDED
/* Enabling traces. */
/* Debug traces. */
#ifndef YYDEBUG
# define YYDEBUG 0
#endif
@ -40,53 +40,50 @@
extern int vm_file_var__debug;
#endif
/* Tokens. */
/* Token type. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
/* Put the tokens into the symbol table, so that GDB and other debuggers
know about them. */
enum yytokentype {
EQUAL = 258,
COMMA = 259,
OBRACKET = 260,
CBRACKET = 261,
EOA = 262,
STRING = 263,
VARIABLE = 264,
RSTRING = 265,
INTEGER = 266
};
enum yytokentype
{
EQUAL = 258,
COMMA = 259,
OBRACKET = 260,
CBRACKET = 261,
EOA = 262,
STRING = 263,
VARIABLE = 264,
RSTRING = 265,
INTEGER = 266
};
#endif
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
typedef union YYSTYPE YYSTYPE;
union YYSTYPE
{
/* Line 2053 of yacc.c */
#line 190 "vm_file_var_syntax.y"
#line 206 "vm_file_var_syntax.y" /* yacc.c:1909 */
char * val_str;
int val_int;
char val_char;
/* Line 2053 of yacc.c */
#line 75 "vm_file_var_syntax.hh"
} YYSTYPE;
#line 72 "vm_file_var_syntax.hh" /* yacc.c:1909 */
};
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
#endif
/* Location type. */
#if ! defined YYLTYPE && ! defined YYLTYPE_IS_DECLARED
typedef struct YYLTYPE
typedef struct YYLTYPE YYLTYPE;
struct YYLTYPE
{
int first_line;
int first_column;
int last_line;
int last_column;
} YYLTYPE;
# define yyltype YYLTYPE /* obsolescent; will be withdrawn */
};
# define YYLTYPE_IS_DECLARED 1
# define YYLTYPE_IS_TRIVIAL 1
#endif

18
src/vm/vm_file_var_syntax.y
View File

@ -87,7 +87,9 @@ int get_image_path(VirtualMachine * vm,
Nebula& nd = Nebula::instance();
ImagePool * ipool = nd.get_ipool();
UserPool * upool = nd.get_upool();
Image * img = 0;
User * user = 0;
int iid = -1;
PoolObjectAuth perm;
@ -160,7 +162,21 @@ int get_image_path(VirtualMachine * vm,
img->unlock();
AuthRequest ar(vm->get_uid(), vm->get_gid());
set<int> gids;
user = upool->get(vm->get_uid(), true);
if (user != 0)
{
gids = user->get_groups();
user->unlock();
}
else
{
gids.insert(vm->get_gid());
}
AuthRequest ar(vm->get_uid(), gids);
ar.add_auth(AuthRequest::USE, perm);

851
src/xml/expr_arith.cc
View File

File diff suppressed because it is too large Load Diff

53
src/xml/expr_arith.h
View File

@ -1,19 +1,19 @@
/* A Bison parser, made by GNU Bison 2.7.12-4996. */
/* A Bison parser, made by GNU Bison 3.0. */
/* Bison interface for Yacc-like parsers in C
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
@ -26,13 +26,13 @@
special exception, which will cause the skeleton and the resulting
Bison output files to be licensed under the GNU General Public
License without this special exception.
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
#ifndef YY_EXPR_ARITH_EXPR_ARITH_HH_INCLUDED
# define YY_EXPR_ARITH_EXPR_ARITH_HH_INCLUDED
/* Enabling traces. */
/* Debug traces. */
#ifndef YYDEBUG
# define YYDEBUG 0
#endif
@ -40,47 +40,44 @@
extern int expr_arith__debug;
#endif
/* Tokens. */
/* Token type. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
/* Put the tokens into the symbol table, so that GDB and other debuggers
know about them. */
enum yytokentype {
INTEGER = 258,
STRING = 259,
FLOAT = 260
};
enum yytokentype
{
INTEGER = 258,
STRING = 259,
FLOAT = 260
};
#endif
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
typedef union YYSTYPE YYSTYPE;
union YYSTYPE
{
/* Line 2053 of yacc.c */
#line 78 "expr_arith.y"
#line 78 "expr_arith.y" /* yacc.c:1909 */
char * val_str;
int val_int;
float val_float;
/* Line 2053 of yacc.c */
#line 69 "expr_arith.hh"
} YYSTYPE;
#line 66 "expr_arith.hh" /* yacc.c:1909 */
};
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
#endif
/* Location type. */
#if ! defined YYLTYPE && ! defined YYLTYPE_IS_DECLARED
typedef struct YYLTYPE
typedef struct YYLTYPE YYLTYPE;
struct YYLTYPE
{
int first_line;
int first_column;
int last_line;
int last_column;
} YYLTYPE;
# define yyltype YYLTYPE /* obsolescent; will be withdrawn */
};
# define YYLTYPE_IS_DECLARED 1
# define YYLTYPE_IS_TRIVIAL 1
#endif

906
src/xml/expr_bool.cc
View File

File diff suppressed because it is too large Load Diff

53
src/xml/expr_bool.h
View File

@ -1,19 +1,19 @@
/* A Bison parser, made by GNU Bison 2.7.12-4996. */
/* A Bison parser, made by GNU Bison 3.0. */
/* Bison interface for Yacc-like parsers in C
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
@ -26,13 +26,13 @@
special exception, which will cause the skeleton and the resulting
Bison output files to be licensed under the GNU General Public
License without this special exception.
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
#ifndef YY_EXPR_BOOL_EXPR_BOOL_HH_INCLUDED
# define YY_EXPR_BOOL_EXPR_BOOL_HH_INCLUDED
/* Enabling traces. */
/* Debug traces. */
#ifndef YYDEBUG
# define YYDEBUG 0
#endif
@ -40,47 +40,44 @@
extern int expr_bool__debug;
#endif
/* Tokens. */
/* Token type. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
/* Put the tokens into the symbol table, so that GDB and other debuggers
know about them. */
enum yytokentype {
INTEGER = 258,
STRING = 259,
FLOAT = 260
};
enum yytokentype
{
INTEGER = 258,
STRING = 259,
FLOAT = 260
};
#endif
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
typedef union YYSTYPE YYSTYPE;
union YYSTYPE
{
/* Line 2053 of yacc.c */
#line 88 "expr_bool.y"
#line 88 "expr_bool.y" /* yacc.c:1909 */
char * val_str;
int val_int;
float val_float;
/* Line 2053 of yacc.c */
#line 69 "expr_bool.hh"
} YYSTYPE;
#line 66 "expr_bool.hh" /* yacc.c:1909 */
};
# define YYSTYPE_IS_TRIVIAL 1
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
#endif
/* Location type. */
#if ! defined YYLTYPE && ! defined YYLTYPE_IS_DECLARED
typedef struct YYLTYPE
typedef struct YYLTYPE YYLTYPE;
struct YYLTYPE
{
int first_line;
int first_column;
int last_line;
int last_column;
} YYLTYPE;
# define yyltype YYLTYPE /* obsolescent; will be withdrawn */
};
# define YYLTYPE_IS_DECLARED 1
# define YYLTYPE_IS_TRIVIAL 1
#endif