1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-22 13:33:52 +03:00

Feature #3167: Allow users to edit their VNets, add vnet restricted attributes

This commit is contained in:
Carlos Martín 2014-09-03 15:31:00 +02:00
parent 2bfdae1c07
commit 00cb00b0e8
13 changed files with 158 additions and 9 deletions

View File

@ -180,6 +180,10 @@ public:
int cluster_id,
const string& cluster_name);
bool allocate_authorization(Template * obj_template,
RequestAttributes& att,
PoolObjectAuth * cluster_perms);
int get_cluster_id(xmlrpc_c::paramList const& paramList)
{
return xmlrpc_c::value_int(paramList.getInt(2));

View File

@ -136,7 +136,7 @@ public:
Nebula& nd = Nebula::instance();
pool = nd.get_vnpool();
auth_object = PoolObjectSQL::NET;
auth_op = AuthRequest::ADMIN;
auth_op = AuthRequest::MANAGE;
};
~VirtualNetworkUpdateTemplate(){};

View File

@ -36,6 +36,7 @@ public:
VirtualNetworkPool(SqlDB * db,
const string& str_mac_prefix,
int default_size,
vector<const Attribute *>& restricted_attrs,
vector<const Attribute *> hook_mads,
const string& remotes_location,
const vector<const Attribute *>& _inherit_attrs);

View File

@ -31,6 +31,48 @@ public:
Template(false,'=',"TEMPLATE"){};
~VirtualNetworkTemplate(){};
/**
* Checks the template for RESTRICTED ATTRIBUTES
* @param rs_attr the first restricted attribute found if any
* @return true if a restricted attribute is found in the template
*/
bool check(string& rs_attr)
{
return Template::check(rs_attr, restricted_attributes);
};
/**
* Deletes all restricted attributes
*/
void remove_restricted()
{
Template::remove_restricted(restricted_attributes);
};
/**
* Deletes all the attributes, except the restricted ones
*/
void remove_all_except_restricted()
{
Template::remove_all_except_restricted(restricted_attributes);
};
private:
friend class VirtualNetworkPool;
static vector<string> restricted_attributes;
/**
* Stores the attributes as restricted, these attributes will be used in
* VirtualMachineTemplate::check
* @param rattrs Attributes to restrict
*/
static void set_restricted_attributes(vector<const Attribute *>& rattrs)
{
Template::set_restricted_attributes(rattrs, restricted_attributes);
};
};
/* -------------------------------------------------------------------------- */

View File

@ -731,6 +731,11 @@ VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC"
IMAGE_RESTRICTED_ATTR = "SOURCE"
VNET_RESTRICTED_ATTR = "PHYDEV"
VNET_RESTRICTED_ATTR = "VLAN_ID"
VNET_RESTRICTED_ATTR = "VLAN"
VNET_RESTRICTED_ATTR = "BRIDGE"
#*******************************************************************************
# Inherited Attributes Configuration
#*******************************************************************************

View File

@ -610,6 +610,19 @@ int Datastore::replace_template(
return -1;
}
if (keep_restricted)
{
new_tmpl->remove_restricted();
if (obj_template != 0)
{
obj_template->remove_all_except_restricted();
string aux_error;
new_tmpl->merge(obj_template, aux_error);
}
}
/* ---------------------------------------------------------------------- */
/* Set the TYPE of the Datastore (class & template) */
/* ---------------------------------------------------------------------- */

View File

@ -463,6 +463,7 @@ void Nebula::start(bool bootstrap_only)
vector<const Attribute *> vm_restricted_attrs;
vector<const Attribute *> img_restricted_attrs;
vector<const Attribute *> vnet_restricted_attrs;
vector<const Attribute *> inherit_image_attrs;
vector<const Attribute *> inherit_datastore_attrs;
@ -481,6 +482,7 @@ void Nebula::start(bool bootstrap_only)
nebula_configuration->get("VM_RESTRICTED_ATTR", vm_restricted_attrs);
nebula_configuration->get("IMAGE_RESTRICTED_ATTR", img_restricted_attrs);
nebula_configuration->get("VNET_RESTRICTED_ATTR", vnet_restricted_attrs);
nebula_configuration->get("INHERIT_IMAGE_ATTR", inherit_image_attrs);
nebula_configuration->get("INHERIT_DATASTORE_ATTR", inherit_datastore_attrs);
@ -510,6 +512,7 @@ void Nebula::start(bool bootstrap_only)
vnpool = new VirtualNetworkPool(db,
mac_prefix,
size,
vnet_restricted_attrs,
vnet_hooks,
remotes_location,
inherit_vnet_attrs);

View File

@ -125,6 +125,45 @@ bool VirtualMachineAllocate::allocate_authorization(
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
bool VirtualNetworkAllocate::allocate_authorization(
Template * tmpl,
RequestAttributes& att,
PoolObjectAuth * cluster_perms)
{
string aname;
VirtualNetworkTemplate * vn_tmpl = static_cast<VirtualNetworkTemplate *>(tmpl);
bool auth = RequestManagerAllocate::allocate_authorization(
vn_tmpl, att, cluster_perms);
if ( auth )
{
// ------------ Check template for restricted attributes --------------
if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
{
if (vn_tmpl->check(aname))
{
ostringstream oss;
oss << "Template includes a restricted attribute " << aname;
failure_response(AUTHORIZATION,
authorization_error(oss.str(), att),
att);
return false;
}
}
}
return auth;
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
RequestAttributes& att)
{

View File

@ -327,7 +327,7 @@ tabs:
Datastore.delete: false
vnets-tab:
panel_tabs:
vnet_info_tab: false
vnet_info_tab: true
vnet_ar_list_tab: true
vnet_leases_tab: true
table_columns:

View File

@ -25,7 +25,8 @@ source_files=[
'VirtualNetwork.cc',
'VirtualNetworkPool.cc',
'AddressRange.cc',
'AddressRangePool.cc'
'AddressRangePool.cc',
'VirtualNetworkTemplate.cc'
]
# Build library

View File

@ -230,6 +230,19 @@ int VirtualNetwork::replace_template(
return -1;
}
if (keep_restricted)
{
new_tmpl->remove_restricted();
if (obj_template != 0)
{
obj_template->remove_all_except_restricted();
string aux_error;
new_tmpl->merge(obj_template, aux_error);
}
}
delete obj_template;
obj_template = new_tmpl;

View File

@ -35,6 +35,7 @@ VirtualNetworkPool::VirtualNetworkPool(
SqlDB * db,
const string& prefix,
int __default_size,
vector<const Attribute *>& restricted_attrs,
vector<const Attribute *> hook_mads,
const string& remotes_location,
const vector<const Attribute *>& _inherit_attrs):
@ -73,14 +74,16 @@ VirtualNetworkPool::VirtualNetworkPool(
_mac_prefix <<= 8;
_mac_prefix += tmp;
register_hooks(hook_mads, remotes_location);
VirtualNetworkTemplate::set_restricted_attributes(restricted_attrs);
for (it = _inherit_attrs.begin(); it != _inherit_attrs.end(); it++)
{
const SingleAttribute* sattr = static_cast<const SingleAttribute *>(*it);
register_hooks(hook_mads, remotes_location);
inherit_attrs.push_back(sattr->value());
}
for (it = _inherit_attrs.begin(); it != _inherit_attrs.end(); it++)
{
const SingleAttribute* sattr = static_cast<const SingleAttribute *>(*it);
inherit_attrs.push_back(sattr->value());
}
}
/* -------------------------------------------------------------------------- */

View File

@ -0,0 +1,25 @@
/* -------------------------------------------------------------------------- */
/* Copyright 2002-2014, OpenNebula Project (OpenNebula.org), C12G Labs */
/* */
/* Licensed under the Apache License, Version 2.0 (the "License"); you may */
/* not use this file except in compliance with the License. You may obtain */
/* a copy of the License at */
/* */
/* http://www.apache.org/licenses/LICENSE-2.0 */
/* */
/* Unless required by applicable law or agreed to in writing, software */
/* distributed under the License is distributed on an "AS IS" BASIS, */
/* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. */
/* See the License for the specific language governing permissions and */
/* limitations under the License. */
/* -------------------------------------------------------------------------- */
#include "VirtualNetworkTemplate.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
vector<string> VirtualNetworkTemplate::restricted_attributes;
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */