From 01d932adeaa9381602787b7072a9e2b0de8714b5 Mon Sep 17 00:00:00 2001 From: "Ruben S. Montero" Date: Tue, 24 May 2011 17:52:17 +0200 Subject: [PATCH] feature #622: Added auth for the pool infos. New Auth action is INFO_POOL --- include/AuthManager.h | 1 + include/RequestManagerPoolInfo.h | 16 +++++++++++----- include/RequestManagerPoolInfoFilter.h | 25 +++++++++++++++---------- src/authm/AuthManager.cc | 11 +++++++++++ src/rm/RequestManagerPoolInfo.cc | 25 +++++++++++++++++++++++-- src/rm/RequestManagerPoolInfoFilter.cc | 23 +++++++++++++++++++++++ 6 files changed, 84 insertions(+), 17 deletions(-) diff --git a/include/AuthManager.h b/include/AuthManager.h index 5fe92b78be..8b666a0649 100644 --- a/include/AuthManager.h +++ b/include/AuthManager.h @@ -281,6 +281,7 @@ public: USE, /** Authorization to use an object */ MANAGE, /** Authorization to manage an object */ INFO, /** Authorization to view an object */ + INFO_POOL, /** Authorization to view all objects in the pool */ INSTANTIATE /** Authorization to instantiate a VM from a TEMPLATE */ }; diff --git a/include/RequestManagerPoolInfo.h b/include/RequestManagerPoolInfo.h index ae572cffaf..c395564927 100644 --- a/include/RequestManagerPoolInfo.h +++ b/include/RequestManagerPoolInfo.h @@ -19,6 +19,7 @@ #include "Request.h" #include "Nebula.h" +#include "AuthManager.h" using namespace std; @@ -43,7 +44,8 @@ protected: /* -------------------------------------------------------------------- */ - PoolSQL *pool; + PoolSQL * pool; + AuthRequest::Object auth_object; }; /* ------------------------------------------------------------------------- */ @@ -56,8 +58,9 @@ public: RequestManagerPoolInfo("HostPoolInfo", "Returns the host pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_hpool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_hpool(); + auth_object = AuthRequest::HOST; }; ~HostPoolInfo(){}; @@ -75,6 +78,7 @@ public: { Nebula& nd = Nebula::instance(); pool = nd.get_cpool(); + auth_object = AuthRequest::CLUSTER; }; ~ClusterPoolInfo(){}; @@ -97,6 +101,7 @@ public: { Nebula& nd = Nebula::instance(); pool = nd.get_gpool(); + auth_object = AuthRequest::GROUP; }; ~GroupPoolInfo(){}; @@ -112,8 +117,9 @@ public: RequestManagerPoolInfo("UserPoolInfo", "Returns the user pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_upool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_upool(); + auth_object = AuthRequest::USER; }; ~UserPoolInfo(){}; diff --git a/include/RequestManagerPoolInfoFilter.h b/include/RequestManagerPoolInfoFilter.h index f389ba82ac..000f23248f 100644 --- a/include/RequestManagerPoolInfoFilter.h +++ b/include/RequestManagerPoolInfoFilter.h @@ -19,7 +19,7 @@ #include "Request.h" #include "Nebula.h" -//#include "AuthManager.h" +#include "AuthManager.h" using namespace std; @@ -50,7 +50,8 @@ protected: /* -------------------------------------------------------------------- */ - PoolSQL *pool; + PoolSQL * pool; + AuthRequest::Object auth_object; }; /* ------------------------------------------------------------------------- */ @@ -63,8 +64,9 @@ public: RequestManagerPoolInfoFilter("VirtualMachinePoolInfo", "Returns the virtual machine instances pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_vmpool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_vmpool(); + auth_object = AuthRequest::VM; }; ~VirtualMachinePoolInfo(){}; @@ -80,8 +82,9 @@ public: RequestManagerPoolInfoFilter("TemplatePoolInfo", "Returns the virtual machine template pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_tpool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_tpool(); + auth_object = AuthRequest::TEMPLATE; }; ~TemplatePoolInfo(){}; @@ -102,8 +105,9 @@ public: RequestManagerPoolInfoFilter("VirtualNetworkPoolInfo", "Returns the virtual network pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_vnpool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_vnpool(); + auth_object = AuthRequest::NET; }; ~VirtualNetworkPoolInfo(){}; @@ -119,8 +123,9 @@ public: RequestManagerPoolInfoFilter("ImagePoolInfo", "Returns the image pool") { - Nebula& nd = Nebula::instance(); - pool = nd.get_ipool(); + Nebula& nd = Nebula::instance(); + pool = nd.get_ipool(); + auth_object = AuthRequest::IMAGE; }; ~ImagePoolInfo(){}; diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index ef960f2fcc..06d4237897 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -92,6 +92,10 @@ void AuthRequest::add_auth(Object ob, oss << "INFO:" ; break; + case INFO_POOL: + oss << "INFO_POOL:" ; + break; + case INSTANTIATE: oss << "INSTANTIATE:" ; break; @@ -149,6 +153,13 @@ void AuthRequest::add_auth(Object ob, case INFO: // This is for completeness, as the only INFO existing // is for UserPool, and just oneadmin can see it break; + + case INFO_POOL: + if ( ob != USER ) + { + auth = true; + } + break; } } diff --git a/src/rm/RequestManagerPoolInfo.cc b/src/rm/RequestManagerPoolInfo.cc index dad7cdb577..671f4b150c 100644 --- a/src/rm/RequestManagerPoolInfo.cc +++ b/src/rm/RequestManagerPoolInfo.cc @@ -28,7 +28,24 @@ void RequestManagerPoolInfo::request_execute( { ostringstream oss; int rc; - + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(auth_object, + -1, + AuthRequest::INFO_POOL, + 0, + false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + // Call the template pool dump rc = pool->dump(oss,""); @@ -40,9 +57,13 @@ void RequestManagerPoolInfo::request_execute( success_response(oss.str()); return; +//TODO Get the object name from the AuthRequest Class +error_authorize: + failure_response(AUTHORIZATION, + authorization_error("INFO","USER",uid,-1)); + return; error_dump: //TBD Improve Error messages for DUMP - oss.str(); failure_response(INTERNAL,"Internal Error"); return; } diff --git a/src/rm/RequestManagerPoolInfoFilter.cc b/src/rm/RequestManagerPoolInfoFilter.cc index ecf51220c4..9742640740 100644 --- a/src/rm/RequestManagerPoolInfoFilter.cc +++ b/src/rm/RequestManagerPoolInfoFilter.cc @@ -66,6 +66,23 @@ void RequestManagerPoolInfoFilter::request_execute( break; } + //Authorize the operation + if ( uid != 0 && (filter_flag == ALL || filter_flag >= 0) ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(auth_object, + -1, + AuthRequest::INFO_POOL, + 0, + false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + // Call the template pool dump rc = pool->dump(oss,where_string.str()); @@ -82,6 +99,12 @@ error_filter: failure_response(XML_RPC_API, "Incorrect filter_flag, must be >= -3."); return; +//TODO Get the object name from the AuthRequest Class +error_authorize: + failure_response(AUTHORIZATION, + authorization_error("INFO","USER",uid,-1)); + return; + error_dump: //TBD Improve Error messages for DUMP oss.str(); failure_response(INTERNAL,"Internal Error");