mirror of
https://github.com/OpenNebula/one.git
synced 2025-01-11 05:17:41 +03:00
Feature #687: ACL rules now check the object's group
This commit is contained in:
Carlos Martín
parent
2da4877c8c
commit
05ea353f24
@ -361,6 +361,7 @@ public:
|
||||
*/
|
||||
void add_auth(Object ob,
|
||||
const string& ob_id,
|
||||
int ob_gid,
|
||||
Operation op,
|
||||
int owner,
|
||||
bool pub);
|
||||
@ -370,6 +371,7 @@ public:
|
||||
*/
|
||||
void add_auth(Object ob,
|
||||
int ob_id,
|
||||
int ob_gid,
|
||||
Operation op,
|
||||
int owner,
|
||||
bool pub)
|
||||
@ -377,7 +379,7 @@ public:
|
||||
ostringstream oss;
|
||||
oss << ob_id;
|
||||
|
||||
add_auth(ob,oss.str(),op,owner,pub);
|
||||
add_auth(ob,oss.str(),ob_gid,op,owner,pub);
|
||||
};
|
||||
|
||||
/**
|
||||
|
||||
@ -32,6 +32,7 @@ const char * AuthManager::auth_driver_name = "auth_exe";
|
||||
|
||||
void AuthRequest::add_auth(Object ob,
|
||||
const string& ob_id,
|
||||
int ob_gid,
|
||||
Operation op,
|
||||
int owner,
|
||||
bool pub)
|
||||
@ -39,7 +40,7 @@ void AuthRequest::add_auth(Object ob,
|
||||
ostringstream oss;
|
||||
bool auth;
|
||||
|
||||
int ob_id_int = 0;
|
||||
int ob_id_int = -1;
|
||||
|
||||
oss << Object_to_str(ob) << ":";
|
||||
|
||||
@ -82,8 +83,6 @@ void AuthRequest::add_auth(Object ob,
|
||||
// TODO, the set of object ids is needed
|
||||
set<int> emtpy_set;
|
||||
|
||||
int ob_gid = 0;
|
||||
|
||||
Nebula& nd = Nebula::instance();
|
||||
AclManager* aclm = nd.get_aclm();
|
||||
|
||||
|
||||
@ -252,6 +252,7 @@ void ImagePool::authorize_disk(VectorAttribute * disk,int uid, AuthRequest * ar)
|
||||
|
||||
ar->add_auth(AuthRequest::IMAGE,
|
||||
img->get_oid(),
|
||||
img->get_gid(),
|
||||
AuthRequest::USE,
|
||||
img->get_uid(),
|
||||
img->isPublic());
|
||||
|
||||
@ -52,6 +52,7 @@ bool Request::basic_authorization(int oid)
|
||||
|
||||
bool pub;
|
||||
int ouid;
|
||||
int ogid;
|
||||
|
||||
if ( uid == 0 )
|
||||
{
|
||||
@ -74,6 +75,7 @@ bool Request::basic_authorization(int oid)
|
||||
}
|
||||
|
||||
ouid = object->get_uid();
|
||||
ogid = object->get_gid();
|
||||
pub = object->isPublic();
|
||||
|
||||
object->unlock();
|
||||
@ -81,7 +83,7 @@ bool Request::basic_authorization(int oid)
|
||||
|
||||
AuthRequest ar(uid);
|
||||
|
||||
ar.add_auth(auth_object, oid, auth_op, ouid, pub);
|
||||
ar.add_auth(auth_object, oid, ogid, auth_op, ouid, pub);
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
{
|
||||
|
||||
@ -34,13 +34,13 @@ bool RequestManagerAllocate::allocate_authorization(Template * tmpl)
|
||||
|
||||
if ( tmpl == 0 )
|
||||
{
|
||||
ar.add_auth(auth_object,-1,auth_op,uid,false);
|
||||
ar.add_auth(auth_object,-1,-1,auth_op,uid,false);
|
||||
}
|
||||
else
|
||||
{
|
||||
string t64;
|
||||
|
||||
ar.add_auth(auth_object,tmpl->to_xml(t64),auth_op,uid,false);
|
||||
ar.add_auth(auth_object,tmpl->to_xml(t64),-1,auth_op,uid,false);
|
||||
}
|
||||
|
||||
if (UserPool::authorize(ar) == -1)
|
||||
@ -67,7 +67,7 @@ bool VirtualMachineAllocate::allocate_authorization(Template * tmpl)
|
||||
|
||||
VirtualMachineTemplate * ttmpl = static_cast<VirtualMachineTemplate *>(tmpl);
|
||||
|
||||
ar.add_auth(auth_object,tmpl->to_xml(t64),auth_op,uid,false);
|
||||
ar.add_auth(auth_object,tmpl->to_xml(t64),-1,auth_op,uid,false);
|
||||
|
||||
VirtualMachine::set_auth_request(uid, ar, ttmpl);
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
|
||||
int id = xmlrpc_c::value_int(paramList.getInt(1));
|
||||
string name = xmlrpc_c::value_string(paramList.getString(2));
|
||||
|
||||
int rc, ouid, vid;
|
||||
int rc, ouid, ogid, vid;
|
||||
|
||||
Nebula& nd = Nebula::instance();
|
||||
VirtualMachinePool* vmpool = nd.get_vmpool();
|
||||
@ -46,6 +46,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
|
||||
|
||||
tmpl = rtmpl->clone_template();
|
||||
ouid = rtmpl->get_uid();
|
||||
ogid = rtmpl->get_gid();
|
||||
|
||||
rtmpl->unlock();
|
||||
|
||||
@ -56,7 +57,7 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
|
||||
{
|
||||
AuthRequest ar(uid);
|
||||
|
||||
ar.add_auth(auth_object, id, auth_op, ouid, false);
|
||||
ar.add_auth(auth_object, id, ogid, auth_op, ouid, false);
|
||||
|
||||
VirtualMachine::set_auth_request(uid, ar, tmpl);
|
||||
|
||||
|
||||
@ -25,6 +25,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, int hid, ImageTempl
|
||||
PoolObjectSQL * object;
|
||||
|
||||
int ouid;
|
||||
int ogid;
|
||||
|
||||
if ( uid == 0 )
|
||||
{
|
||||
@ -40,16 +41,17 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, int hid, ImageTempl
|
||||
}
|
||||
|
||||
ouid = object->get_uid();
|
||||
ogid = object->get_gid();
|
||||
|
||||
object->unlock();
|
||||
|
||||
AuthRequest ar(uid);
|
||||
|
||||
ar.add_auth(auth_object, oid, auth_op, ouid, false);
|
||||
ar.add_auth(auth_object, oid, ogid, auth_op, ouid, false);
|
||||
|
||||
if (hid != -1)
|
||||
{
|
||||
ar.add_auth(AuthRequest::HOST,hid,AuthRequest::USE,0,false);
|
||||
ar.add_auth(AuthRequest::HOST,hid,-1,AuthRequest::USE,0,false);
|
||||
}
|
||||
else if (tmpl != 0)
|
||||
{
|
||||
@ -57,6 +59,7 @@ bool RequestManagerVirtualMachine::vm_authorization(int oid, int hid, ImageTempl
|
||||
|
||||
ar.add_auth(AuthRequest::IMAGE,
|
||||
tmpl->to_xml(t64),
|
||||
-1,
|
||||
AuthRequest::CREATE,
|
||||
uid,
|
||||
false);
|
||||
|
||||
@ -196,6 +196,7 @@ void VirtualNetworkPool::authorize_nic(VectorAttribute * nic,
|
||||
|
||||
ar->add_auth(AuthRequest::NET,
|
||||
vnet->get_oid(),
|
||||
vnet->get_gid(),
|
||||
AuthRequest::USE,
|
||||
vnet->get_uid(),
|
||||
vnet->isPublic());
|
||||
|
||||
Loading…
Reference in New Issue
Block a user