shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-26 06:50:09 +03:00
Code Releases Wiki Activity

feature #203: Finishing RM authorization task

Browse Source
This commit is contained in:
Tino Vázquez 2010-07-13 18:16:05 +02:00
parent d449453919
commit 0659115f70
18 changed files with 195 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/AuthManager.h
View File

@ -276,10 +276,11 @@ public:
*/
enum Operation
{
CREATE, /** Authorization to create an object (host, vm, net, image)*/
DELETE, /** Authorization to delete an object */
USE, /** Authorization to use an object */
MANAGE /** Authorization to manage an object */
CREATE, /** Authorization to create an object (host, vm, net, image)*/
DELETE, /** Authorization to delete an object */
USE, /** Authorization to use an object */
MANAGE, /** Authorization to manage an object */
INFO /** Authorization to view an object */
};
/**
@ -291,7 +292,8 @@ public:
HOST,
NET,
IMAGE,
USER
USER,
CLUSTER
};
/**

19
src/authm/AuthManager.cc
View File

@ -80,11 +80,12 @@ void AuthRequest::add_auth(Object ob,
switch (ob)
{
case VM: oss << "VM:" ; break;
case HOST: oss << "HOST:" ; break;
case NET: oss << "NET:" ; break;
case IMAGE: oss << "IMAGE:" ; break;
case USER: oss << "USER:" ; break;
case VM: oss << "VM:" ; break;
case HOST: oss << "HOST:" ; break;
case NET: oss << "NET:" ; break;
case IMAGE: oss << "IMAGE:" ; break;
case USER: oss << "USER:" ; break;
case CLUSTER: oss << "CLUSTER:" ; break;
}
if (op == CREATE) //encode the ob_id, it is a template
@ -123,6 +124,10 @@ void AuthRequest::add_auth(Object ob,
case MANAGE:
oss << "MANAGE:" ;
break;
case INFO:
oss << "INFO:" ;
break;
}
oss << owner << ":" << pub;
@ -166,6 +171,10 @@ void AuthRequest::add_auth(Object ob,
case MANAGE:
auth = owner == uid;
break;
case INFO: // This is for completeness, as the only INFO existing
// is for UserPool, and just oneadmin can see it
break;
}
}

7
src/rm/RequestManagerClusterAdd.cc
View File

@ -61,8 +61,9 @@ void RequestManager::ClusterAdd::execute(
if ( rc != 0 ) // rc == 0 means oneadmin
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::HOST,hid,AuthRequest::MANAGE,0,false);
ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::USE,0,false);
if (UserPool::authorize(ar) == -1)
{
@ -107,7 +108,7 @@ error_authenticate:
goto error_common;
error_authorize:
oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, hid));
oss.str(authorization_error(method_name, "USE", "CLUSTER", rc, clid));
goto error_common;
error_host_get:
@ -116,7 +117,7 @@ error_host_get:
error_cluster_add:
host->unlock();
oss.str(action_error(method_name, "MANAGE", "HOST", hid, rc));
oss.str(action_error(method_name, "USE", "CLUSTER", clid, rc));
goto error_common;
error_common:

4
src/rm/RequestManagerClusterAllocate.cc
View File

@ -59,7 +59,7 @@ void RequestManager::ClusterAllocate::execute(
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false);
ar.add_auth(AuthRequest::CLUSTER,-1,AuthRequest::CREATE,0,false);
if (UserPool::authorize(ar) == -1)
{
@ -91,7 +91,7 @@ error_authenticate:
goto error_common;
error_authorize:
oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1));
oss.str(authorization_error(method_name, "CREATE", "CLUSTER", rc, -1));
goto error_common;
error_cluster_allocate:

4
src/rm/RequestManagerClusterDelete.cc
View File

@ -58,7 +58,7 @@ void RequestManager::ClusterDelete::execute(
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false);
ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::DELETE,0,false);
if (UserPool::authorize(ar) == -1)
{
@ -89,7 +89,7 @@ error_authenticate:
goto error_common;
error_authorize:
oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1));
oss.str(authorization_error(method_name, "DELETE", "CLUSTER", rc, clid));
goto error_common;
error_cluster_delete:

10
src/rm/RequestManagerHostInfo.cc
View File

@ -24,11 +24,11 @@ void RequestManager::HostInfo::execute(
xmlrpc_c::paramList const& paramList,
xmlrpc_c::value * const retval)
{
string session;
int hid;
int rc;
Host * host;
string session;
int hid;
int rc;
Host * host;
ostringstream oss;

6
src/rm/RequestManagerImageAllocate.cc
View File

@ -51,15 +51,13 @@ void RequestManager::ImageAllocate::execute(
// First, we need to authenticate the user
rc = ImageAllocate::upool->authenticate(session);
uid = ImageAllocate::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
uid = rc;
rc = ImageAllocate::ipool->allocate(uid,image_template,&iid);
if ( rc < 0 )

26
src/rm/RequestManagerImageDelete.cc
View File

@ -33,6 +33,9 @@ void RequestManager::ImageDelete::execute(
int iid;
int uid;
int rc;
int image_owner;
bool is_public;
Image * image;
@ -51,21 +54,36 @@ void RequestManager::ImageDelete::execute(
// First, we need to authenticate the user
rc = ImageDelete::upool->authenticate(session);
uid = ImageDelete::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
// Get image from the ImagePool
image = ImageDelete::ipool->get(iid,true);
uid = rc;
if ( image == 0 )
{
goto error_image_get;
}
image_owner = image->get_uid();
is_public = image->isPublic();
image->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::DELETE,0,false);
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::DELETE,
image_owner,
is_public);
if (UserPool::authorize(ar) == -1)
{

26
src/rm/RequestManagerImageEnable.cc
View File

@ -35,6 +35,9 @@ void RequestManager::ImageEnable::execute(
int uid;
int rc;
int image_owner;
bool is_public;
Image * image;
ostringstream oss;
@ -52,21 +55,36 @@ void RequestManager::ImageEnable::execute(
enable_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
// First, we need to authenticate the user
rc = ImageEnable::upool->authenticate(session);
uid = ImageEnable::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
uid = rc;
// Get image from the ImagePool
image = ImageEnable::ipool->get(iid,true);
if ( image == 0 )
{
goto error_image_get;
}
image_owner = image->get_uid();
is_public = image->isPublic();
image->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::MANAGE,0,false);
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::MANAGE,
image_owner,
is_public);
if (UserPool::authorize(ar) == -1)
{

34
src/rm/RequestManagerImageInfo.cc
View File

@ -28,14 +28,14 @@ void RequestManager::ImageInfo::execute(
{
string session;
int iid;
int uid; // Image owner user id
int rc; // Requesting user id
Image * image;
int iid;
int uid; // Image owner user id
int rc; // Requesting user id
Image * image;
ostringstream oss;
const string method_name = "ImageInfo";
const string method_name = "ImageInfo";
/* -- RPC specific vars -- */
vector<xmlrpc_c::value> arrayData;
@ -65,23 +65,6 @@ void RequestManager::ImageInfo::execute(
goto error_authenticate;
}
//Authorize the operation
if ( rc != 0 ) // rc == 0 means oneadmin
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::USE,
0,
image->isPublic());
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
oss << *image;
image->unlock();
@ -107,11 +90,6 @@ error_authenticate:
image->unlock();
goto error_common;
error_authorize:
oss.str(authorization_error(method_name, "USE", "IMAGE", rc, iid));
image->unlock();
goto error_common;
error_common:
arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
arrayData.push_back(xmlrpc_c::value_string(oss.str()));

20
src/rm/RequestManagerImagePoolInfo.cc
View File

@ -46,14 +46,12 @@ void RequestManager::ImagePoolInfo::execute(
filter_flag = xmlrpc_c::value_int(paramList.getInt(1));
// Check if it is a valid user
rc = ImagePoolInfo::upool->authenticate(session);
uid = ImagePoolInfo::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
uid = rc;
where_string.str("");
@ -70,21 +68,13 @@ void RequestManager::ImagePoolInfo::execute(
switch(filter_flag)
{
case -2:
if ( uid != 0 )
{
goto error_authorization;
}
// TODO define authentication bug #278
// where remains empty.
break;
case -1:
where_string << "UID=" << uid << " OR public = 'YES'";
break;
default:
// Only oneadmin or the user can list a specific user's images.
if ( uid != 0 && uid != filter_flag )
{
goto error_authorization;
}
where_string << "UID=" << filter_flag;
}
@ -114,10 +104,6 @@ error_authenticate:
oss.str(authenticate_error(method_name));
goto error_common;
error_authorization:
oss.str(authorization_error(method_name, "USE", "IMAGE", uid, NULL));
goto error_common;
error_filter_flag:
oss << "Incorrect filter_flag, must be >= -2.";
goto error_common;

57
src/rm/RequestManagerImagePublish.cc
View File

@ -33,7 +33,9 @@ void RequestManager::ImagePublish::execute(
int iid;
bool publish_flag;
int uid;
int rc;
int image_owner;
bool is_public;
Image * image;
@ -52,32 +54,13 @@ void RequestManager::ImagePublish::execute(
publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
// First, we need to authenticate the user
rc = ImagePublish::upool->authenticate(session);
uid = ImagePublish::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
uid = rc;
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::MANAGE,
0,
image->isPublic());
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
// Get image from the ImagePool
image = ImagePublish::ipool->get(iid,true);
@ -86,6 +69,36 @@ void RequestManager::ImagePublish::execute(
goto error_image_get;
}
image_owner = image->get_uid();
is_public = image->isPublic();
image->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::MANAGE,
image_owner,
is_public);
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
// Get the image locked again
image = ImagePublish::ipool->get(iid,true);
if ( image == 0 )
{
goto error_image_get;
}
image->publish(publish_flag);
ImagePublish::ipool->update(image);

24
src/rm/RequestManagerImageRemoveAttribute.cc
View File

@ -34,6 +34,9 @@ void RequestManager::ImageRemoveAttribute::execute(
int iid;
int uid;
int rc;
int image_owner;
bool is_public;
Image * image;
@ -52,14 +55,25 @@ void RequestManager::ImageRemoveAttribute::execute(
name = xmlrpc_c::value_string(paramList.getString(2));
// First, we need to authenticate the user
rc = ImageRemoveAttribute::upool->authenticate(session);
uid = ImageRemoveAttribute::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
// Get image from the ImagePool
image = ImageRemoveAttribute::ipool->get(iid,true);
uid = rc;
if ( image == 0 )
{
goto error_image_get;
}
image_owner = image->get_uid();
is_public = image->isPublic();
image->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
@ -69,8 +83,8 @@ void RequestManager::ImageRemoveAttribute::execute(
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::MANAGE,
0,
image->isPublic());
image_owner,
is_public);
if (UserPool::authorize(ar) == -1)
{

24
src/rm/RequestManagerImageUpdate.cc
View File

@ -35,6 +35,9 @@ void RequestManager::ImageUpdate::execute(
string name;
string value;
int rc;
int image_owner;
bool is_public;
Image * image;
@ -53,14 +56,25 @@ void RequestManager::ImageUpdate::execute(
value = xmlrpc_c::value_string(paramList.getString(3));
// First, we need to authenticate the user
rc = ImageUpdate::upool->authenticate(session);
uid = ImageUpdate::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
// Get image from the ImagePool
image = ImageUpdate::ipool->get(iid,true);
uid = rc;
if ( image == 0 )
{
goto error_image_get;
}
image_owner = image->get_uid();
is_public = image->isPublic();
image->unlock();
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
@ -70,8 +84,8 @@ void RequestManager::ImageUpdate::execute(
ar.add_auth(AuthRequest::IMAGE,
iid,
AuthRequest::MANAGE,
0,
image->isPublic());
image_owner,
is_public);
if (UserPool::authorize(ar) == -1)
{

35
src/rm/RequestManagerUserPoolInfo.cc
View File

@ -17,6 +17,8 @@
#include "RequestManager.h"
#include "NebulaLog.h"
#include "AuthManager.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -26,7 +28,8 @@ void RequestManager::UserPoolInfo::execute(
{
string session;
int rc;
int rc;
int uid;
ostringstream oss;
const string method_name = "UserPoolInfo";
@ -41,15 +44,31 @@ void RequestManager::UserPoolInfo::execute(
session = xmlrpc_c::value_string(paramList.getString(0));
// Only oneadmin can list the whole user pool
rc = UserPoolInfo::upool->authenticate(session);
uid = UserPoolInfo::upool->authenticate(session);
if ( rc != 0 )
if ( uid == -1 )
{
goto error_authenticate;
}
// Now let's get the info
//Authorize the operation
if ( uid != 0 ) // uid == 0 means oneadmin
{
AuthRequest ar(uid);
ar.add_auth(AuthRequest::USER,
-1,
AuthRequest::INFO,
0,
false);
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
// Now let's get the info
rc = UserPoolInfo::upool->dump(oss,"");
if ( rc != 0 )
@ -71,9 +90,13 @@ void RequestManager::UserPoolInfo::execute(
error_authenticate:
oss.str(authenticate_error(method_name));
goto error_common;
error_authorize:
oss.str(authorization_error(method_name, "INFO", "USER", uid, -1));
goto error_common;
error_dumping:
oss.str(get_error(method_name, "IMAGE", -1));
oss.str(get_error(method_name, "USER", -1));
goto error_common;
error_common:

22
src/rm/RequestManagerVirtualNetworkInfo.cc
View File

@ -63,23 +63,6 @@ void RequestManager::VirtualNetworkInfo::execute(
goto error_vn_get;
}
//Authorize the operation
if ( rc != 0 ) // rc == 0 means oneadmin
{
AuthRequest ar(rc);
ar.add_auth(AuthRequest::NET,
nid,
AuthRequest::USE,
0,
vn->isPublic());
if (UserPool::authorize(ar) == -1)
{
goto error_authorize;
}
}
oss << *vn;
vn->unlock();
@ -104,11 +87,6 @@ error_vn_get:
oss.str(get_error(method_name, "NET", nid));
goto error_common;
error_authorize:
vn->unlock();
oss.str(authorization_error(method_name, "USE", "NET", rc, nid));
goto error_common;
error_common:
arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE
arrayData.push_back(xmlrpc_c::value_string(oss.str()));

2
src/rm/RequestManagerVirtualNetworkPoolInfo.cc
View File

@ -63,6 +63,8 @@ void RequestManager::VirtualNetworkPoolInfo::execute(
* -1 :: User's VMs
* >=0 :: UID User's VMs
**/
// TODO define authorization (bug #278)
if (filter_flag == -1)
{
User::split_secret(session,username,password);

6
src/rm/RequestManagerVirtualNetworkPublish.cc
View File

@ -52,15 +52,13 @@ void RequestManager::VirtualNetworkPublish::execute(
publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2));
// First, we need to authenticate the user
rc = VirtualNetworkPublish::upool->authenticate(session);
uid = VirtualNetworkPublish::upool->authenticate(session);
if ( rc == -1 )
if ( uid == -1 )
{
goto error_authenticate;
}
uid = rc;
// Get virtual network from the VirtualNetworkPool
vn = VirtualNetworkPublish::vnpool->get(nid,true);