From 0659115f705e3dbb1722a4387cf6cf4903b3835d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tino=20V=C3=A1zquez?= Date: Tue, 13 Jul 2010 18:16:05 +0200 Subject: [PATCH] feature #203: Finishing RM authorization task --- include/AuthManager.h | 12 ++-- src/authm/AuthManager.cc | 19 +++++-- src/rm/RequestManagerClusterAdd.cc | 7 ++- src/rm/RequestManagerClusterAllocate.cc | 4 +- src/rm/RequestManagerClusterDelete.cc | 4 +- src/rm/RequestManagerHostInfo.cc | 10 ++-- src/rm/RequestManagerImageAllocate.cc | 6 +- src/rm/RequestManagerImageDelete.cc | 26 +++++++-- src/rm/RequestManagerImageEnable.cc | 26 +++++++-- src/rm/RequestManagerImageInfo.cc | 34 ++--------- src/rm/RequestManagerImagePoolInfo.cc | 20 +------ src/rm/RequestManagerImagePublish.cc | 57 ++++++++++++------- src/rm/RequestManagerImageRemoveAttribute.cc | 24 ++++++-- src/rm/RequestManagerImageUpdate.cc | 24 ++++++-- src/rm/RequestManagerUserPoolInfo.cc | 35 ++++++++++-- src/rm/RequestManagerVirtualNetworkInfo.cc | 22 ------- .../RequestManagerVirtualNetworkPoolInfo.cc | 2 + src/rm/RequestManagerVirtualNetworkPublish.cc | 6 +- 18 files changed, 195 insertions(+), 143 deletions(-) diff --git a/include/AuthManager.h b/include/AuthManager.h index f9c7afdd94..d29a163560 100644 --- a/include/AuthManager.h +++ b/include/AuthManager.h @@ -276,10 +276,11 @@ public: */ enum Operation { - CREATE, /** Authorization to create an object (host, vm, net, image)*/ - DELETE, /** Authorization to delete an object */ - USE, /** Authorization to use an object */ - MANAGE /** Authorization to manage an object */ + CREATE, /** Authorization to create an object (host, vm, net, image)*/ + DELETE, /** Authorization to delete an object */ + USE, /** Authorization to use an object */ + MANAGE, /** Authorization to manage an object */ + INFO /** Authorization to view an object */ }; /** @@ -291,7 +292,8 @@ public: HOST, NET, IMAGE, - USER + USER, + CLUSTER }; /** diff --git a/src/authm/AuthManager.cc b/src/authm/AuthManager.cc index 4704c2031a..d3ccf6a6d4 100644 --- a/src/authm/AuthManager.cc +++ b/src/authm/AuthManager.cc @@ -80,11 +80,12 @@ void AuthRequest::add_auth(Object ob, switch (ob) { - case VM: oss << "VM:" ; break; - case HOST: oss << "HOST:" ; break; - case NET: oss << "NET:" ; break; - case IMAGE: oss << "IMAGE:" ; break; - case USER: oss << "USER:" ; break; + case VM: oss << "VM:" ; break; + case HOST: oss << "HOST:" ; break; + case NET: oss << "NET:" ; break; + case IMAGE: oss << "IMAGE:" ; break; + case USER: oss << "USER:" ; break; + case CLUSTER: oss << "CLUSTER:" ; break; } if (op == CREATE) //encode the ob_id, it is a template @@ -123,6 +124,10 @@ void AuthRequest::add_auth(Object ob, case MANAGE: oss << "MANAGE:" ; break; + + case INFO: + oss << "INFO:" ; + break; } oss << owner << ":" << pub; @@ -166,6 +171,10 @@ void AuthRequest::add_auth(Object ob, case MANAGE: auth = owner == uid; break; + + case INFO: // This is for completeness, as the only INFO existing + // is for UserPool, and just oneadmin can see it + break; } } diff --git a/src/rm/RequestManagerClusterAdd.cc b/src/rm/RequestManagerClusterAdd.cc index 199928e6e4..b42f156e61 100644 --- a/src/rm/RequestManagerClusterAdd.cc +++ b/src/rm/RequestManagerClusterAdd.cc @@ -61,8 +61,9 @@ void RequestManager::ClusterAdd::execute( if ( rc != 0 ) // rc == 0 means oneadmin { AuthRequest ar(rc); - + ar.add_auth(AuthRequest::HOST,hid,AuthRequest::MANAGE,0,false); + ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::USE,0,false); if (UserPool::authorize(ar) == -1) { @@ -107,7 +108,7 @@ error_authenticate: goto error_common; error_authorize: - oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, hid)); + oss.str(authorization_error(method_name, "USE", "CLUSTER", rc, clid)); goto error_common; error_host_get: @@ -116,7 +117,7 @@ error_host_get: error_cluster_add: host->unlock(); - oss.str(action_error(method_name, "MANAGE", "HOST", hid, rc)); + oss.str(action_error(method_name, "USE", "CLUSTER", clid, rc)); goto error_common; error_common: diff --git a/src/rm/RequestManagerClusterAllocate.cc b/src/rm/RequestManagerClusterAllocate.cc index 05dbb647f2..72e154e6e5 100644 --- a/src/rm/RequestManagerClusterAllocate.cc +++ b/src/rm/RequestManagerClusterAllocate.cc @@ -59,7 +59,7 @@ void RequestManager::ClusterAllocate::execute( { AuthRequest ar(rc); - ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false); + ar.add_auth(AuthRequest::CLUSTER,-1,AuthRequest::CREATE,0,false); if (UserPool::authorize(ar) == -1) { @@ -91,7 +91,7 @@ error_authenticate: goto error_common; error_authorize: - oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1)); + oss.str(authorization_error(method_name, "CREATE", "CLUSTER", rc, -1)); goto error_common; error_cluster_allocate: diff --git a/src/rm/RequestManagerClusterDelete.cc b/src/rm/RequestManagerClusterDelete.cc index e840dd6689..ddfcee56e3 100644 --- a/src/rm/RequestManagerClusterDelete.cc +++ b/src/rm/RequestManagerClusterDelete.cc @@ -58,7 +58,7 @@ void RequestManager::ClusterDelete::execute( { AuthRequest ar(rc); - ar.add_auth(AuthRequest::HOST,-1,AuthRequest::MANAGE,0,false); + ar.add_auth(AuthRequest::CLUSTER,clid,AuthRequest::DELETE,0,false); if (UserPool::authorize(ar) == -1) { @@ -89,7 +89,7 @@ error_authenticate: goto error_common; error_authorize: - oss.str(authorization_error(method_name, "MANAGE", "HOST", rc, -1)); + oss.str(authorization_error(method_name, "DELETE", "CLUSTER", rc, clid)); goto error_common; error_cluster_delete: diff --git a/src/rm/RequestManagerHostInfo.cc b/src/rm/RequestManagerHostInfo.cc index c94b73c24f..f6b351b2d6 100644 --- a/src/rm/RequestManagerHostInfo.cc +++ b/src/rm/RequestManagerHostInfo.cc @@ -24,11 +24,11 @@ void RequestManager::HostInfo::execute( xmlrpc_c::paramList const& paramList, xmlrpc_c::value * const retval) { - string session; - - int hid; - int rc; - Host * host; + string session; + + int hid; + int rc; + Host * host; ostringstream oss; diff --git a/src/rm/RequestManagerImageAllocate.cc b/src/rm/RequestManagerImageAllocate.cc index 10f47a047c..74357cf73b 100644 --- a/src/rm/RequestManagerImageAllocate.cc +++ b/src/rm/RequestManagerImageAllocate.cc @@ -51,15 +51,13 @@ void RequestManager::ImageAllocate::execute( // First, we need to authenticate the user - rc = ImageAllocate::upool->authenticate(session); + uid = ImageAllocate::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } - uid = rc; - rc = ImageAllocate::ipool->allocate(uid,image_template,&iid); if ( rc < 0 ) diff --git a/src/rm/RequestManagerImageDelete.cc b/src/rm/RequestManagerImageDelete.cc index 846e77109b..6d7813063c 100644 --- a/src/rm/RequestManagerImageDelete.cc +++ b/src/rm/RequestManagerImageDelete.cc @@ -33,6 +33,9 @@ void RequestManager::ImageDelete::execute( int iid; int uid; int rc; + + int image_owner; + bool is_public; Image * image; @@ -51,21 +54,36 @@ void RequestManager::ImageDelete::execute( // First, we need to authenticate the user - rc = ImageDelete::upool->authenticate(session); + uid = ImageDelete::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } + + // Get image from the ImagePool + image = ImageDelete::ipool->get(iid,true); - uid = rc; + if ( image == 0 ) + { + goto error_image_get; + } + + image_owner = image->get_uid(); + is_public = image->isPublic(); + + image->unlock(); //Authorize the operation if ( uid != 0 ) // uid == 0 means oneadmin { AuthRequest ar(uid); - ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::DELETE,0,false); + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::DELETE, + image_owner, + is_public); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerImageEnable.cc b/src/rm/RequestManagerImageEnable.cc index e21110b42c..498875fb28 100644 --- a/src/rm/RequestManagerImageEnable.cc +++ b/src/rm/RequestManagerImageEnable.cc @@ -35,6 +35,9 @@ void RequestManager::ImageEnable::execute( int uid; int rc; + int image_owner; + bool is_public; + Image * image; ostringstream oss; @@ -52,21 +55,36 @@ void RequestManager::ImageEnable::execute( enable_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2)); // First, we need to authenticate the user - rc = ImageEnable::upool->authenticate(session); + uid = ImageEnable::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } - uid = rc; + // Get image from the ImagePool + image = ImageEnable::ipool->get(iid,true); + + if ( image == 0 ) + { + goto error_image_get; + } + + image_owner = image->get_uid(); + is_public = image->isPublic(); + + image->unlock(); //Authorize the operation if ( uid != 0 ) // uid == 0 means oneadmin { AuthRequest ar(uid); - ar.add_auth(AuthRequest::IMAGE,iid,AuthRequest::MANAGE,0,false); + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::MANAGE, + image_owner, + is_public); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerImageInfo.cc b/src/rm/RequestManagerImageInfo.cc index cb3c838de4..9359460887 100644 --- a/src/rm/RequestManagerImageInfo.cc +++ b/src/rm/RequestManagerImageInfo.cc @@ -28,14 +28,14 @@ void RequestManager::ImageInfo::execute( { string session; - int iid; - int uid; // Image owner user id - int rc; // Requesting user id - Image * image; - + int iid; + int uid; // Image owner user id + int rc; // Requesting user id + Image * image; + ostringstream oss; - const string method_name = "ImageInfo"; + const string method_name = "ImageInfo"; /* -- RPC specific vars -- */ vector arrayData; @@ -65,23 +65,6 @@ void RequestManager::ImageInfo::execute( goto error_authenticate; } - //Authorize the operation - if ( rc != 0 ) // rc == 0 means oneadmin - { - AuthRequest ar(rc); - - ar.add_auth(AuthRequest::IMAGE, - iid, - AuthRequest::USE, - 0, - image->isPublic()); - - if (UserPool::authorize(ar) == -1) - { - goto error_authorize; - } - } - oss << *image; image->unlock(); @@ -107,11 +90,6 @@ error_authenticate: image->unlock(); goto error_common; -error_authorize: - oss.str(authorization_error(method_name, "USE", "IMAGE", rc, iid)); - image->unlock(); - goto error_common; - error_common: arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE arrayData.push_back(xmlrpc_c::value_string(oss.str())); diff --git a/src/rm/RequestManagerImagePoolInfo.cc b/src/rm/RequestManagerImagePoolInfo.cc index b0c3b4e64d..d634243c3e 100755 --- a/src/rm/RequestManagerImagePoolInfo.cc +++ b/src/rm/RequestManagerImagePoolInfo.cc @@ -46,14 +46,12 @@ void RequestManager::ImagePoolInfo::execute( filter_flag = xmlrpc_c::value_int(paramList.getInt(1)); // Check if it is a valid user - rc = ImagePoolInfo::upool->authenticate(session); + uid = ImagePoolInfo::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } - - uid = rc; where_string.str(""); @@ -70,21 +68,13 @@ void RequestManager::ImagePoolInfo::execute( switch(filter_flag) { case -2: - if ( uid != 0 ) - { - goto error_authorization; - } + // TODO define authentication bug #278 // where remains empty. break; case -1: where_string << "UID=" << uid << " OR public = 'YES'"; break; default: - // Only oneadmin or the user can list a specific user's images. - if ( uid != 0 && uid != filter_flag ) - { - goto error_authorization; - } where_string << "UID=" << filter_flag; } @@ -114,10 +104,6 @@ error_authenticate: oss.str(authenticate_error(method_name)); goto error_common; -error_authorization: - oss.str(authorization_error(method_name, "USE", "IMAGE", uid, NULL)); - goto error_common; - error_filter_flag: oss << "Incorrect filter_flag, must be >= -2."; goto error_common; diff --git a/src/rm/RequestManagerImagePublish.cc b/src/rm/RequestManagerImagePublish.cc index ad3d1c899b..9137766983 100644 --- a/src/rm/RequestManagerImagePublish.cc +++ b/src/rm/RequestManagerImagePublish.cc @@ -33,7 +33,9 @@ void RequestManager::ImagePublish::execute( int iid; bool publish_flag; int uid; - int rc; + + int image_owner; + bool is_public; Image * image; @@ -52,32 +54,13 @@ void RequestManager::ImagePublish::execute( publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2)); // First, we need to authenticate the user - rc = ImagePublish::upool->authenticate(session); + uid = ImagePublish::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } - uid = rc; - - //Authorize the operation - if ( uid != 0 ) // uid == 0 means oneadmin - { - AuthRequest ar(uid); - - ar.add_auth(AuthRequest::IMAGE, - iid, - AuthRequest::MANAGE, - 0, - image->isPublic()); - - if (UserPool::authorize(ar) == -1) - { - goto error_authorize; - } - } - // Get image from the ImagePool image = ImagePublish::ipool->get(iid,true); @@ -86,6 +69,36 @@ void RequestManager::ImagePublish::execute( goto error_image_get; } + image_owner = image->get_uid(); + is_public = image->isPublic(); + + image->unlock(); + + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::IMAGE, + iid, + AuthRequest::MANAGE, + image_owner, + is_public); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + + // Get the image locked again + image = ImagePublish::ipool->get(iid,true); + + if ( image == 0 ) + { + goto error_image_get; + } + image->publish(publish_flag); ImagePublish::ipool->update(image); diff --git a/src/rm/RequestManagerImageRemoveAttribute.cc b/src/rm/RequestManagerImageRemoveAttribute.cc index 2aba7ffc7d..a86d05882b 100644 --- a/src/rm/RequestManagerImageRemoveAttribute.cc +++ b/src/rm/RequestManagerImageRemoveAttribute.cc @@ -34,6 +34,9 @@ void RequestManager::ImageRemoveAttribute::execute( int iid; int uid; int rc; + + int image_owner; + bool is_public; Image * image; @@ -52,14 +55,25 @@ void RequestManager::ImageRemoveAttribute::execute( name = xmlrpc_c::value_string(paramList.getString(2)); // First, we need to authenticate the user - rc = ImageRemoveAttribute::upool->authenticate(session); + uid = ImageRemoveAttribute::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } + + // Get image from the ImagePool + image = ImageRemoveAttribute::ipool->get(iid,true); - uid = rc; + if ( image == 0 ) + { + goto error_image_get; + } + + image_owner = image->get_uid(); + is_public = image->isPublic(); + + image->unlock(); //Authorize the operation if ( uid != 0 ) // uid == 0 means oneadmin @@ -69,8 +83,8 @@ void RequestManager::ImageRemoveAttribute::execute( ar.add_auth(AuthRequest::IMAGE, iid, AuthRequest::MANAGE, - 0, - image->isPublic()); + image_owner, + is_public); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerImageUpdate.cc b/src/rm/RequestManagerImageUpdate.cc index 5783c7dad7..acc6eef587 100644 --- a/src/rm/RequestManagerImageUpdate.cc +++ b/src/rm/RequestManagerImageUpdate.cc @@ -35,6 +35,9 @@ void RequestManager::ImageUpdate::execute( string name; string value; int rc; + + int image_owner; + bool is_public; Image * image; @@ -53,14 +56,25 @@ void RequestManager::ImageUpdate::execute( value = xmlrpc_c::value_string(paramList.getString(3)); // First, we need to authenticate the user - rc = ImageUpdate::upool->authenticate(session); + uid = ImageUpdate::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } + + // Get image from the ImagePool + image = ImageUpdate::ipool->get(iid,true); - uid = rc; + if ( image == 0 ) + { + goto error_image_get; + } + + image_owner = image->get_uid(); + is_public = image->isPublic(); + + image->unlock(); //Authorize the operation if ( uid != 0 ) // uid == 0 means oneadmin @@ -70,8 +84,8 @@ void RequestManager::ImageUpdate::execute( ar.add_auth(AuthRequest::IMAGE, iid, AuthRequest::MANAGE, - 0, - image->isPublic()); + image_owner, + is_public); if (UserPool::authorize(ar) == -1) { diff --git a/src/rm/RequestManagerUserPoolInfo.cc b/src/rm/RequestManagerUserPoolInfo.cc index 7138a4a3a2..70c9434b90 100644 --- a/src/rm/RequestManagerUserPoolInfo.cc +++ b/src/rm/RequestManagerUserPoolInfo.cc @@ -17,6 +17,8 @@ #include "RequestManager.h" #include "NebulaLog.h" +#include "AuthManager.h" + /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ @@ -26,7 +28,8 @@ void RequestManager::UserPoolInfo::execute( { string session; - int rc; + int rc; + int uid; ostringstream oss; const string method_name = "UserPoolInfo"; @@ -41,15 +44,31 @@ void RequestManager::UserPoolInfo::execute( session = xmlrpc_c::value_string(paramList.getString(0)); // Only oneadmin can list the whole user pool - rc = UserPoolInfo::upool->authenticate(session); + uid = UserPoolInfo::upool->authenticate(session); - if ( rc != 0 ) + if ( uid == -1 ) { goto error_authenticate; } - // Now let's get the info - + //Authorize the operation + if ( uid != 0 ) // uid == 0 means oneadmin + { + AuthRequest ar(uid); + + ar.add_auth(AuthRequest::USER, + -1, + AuthRequest::INFO, + 0, + false); + + if (UserPool::authorize(ar) == -1) + { + goto error_authorize; + } + } + + // Now let's get the info rc = UserPoolInfo::upool->dump(oss,""); if ( rc != 0 ) @@ -71,9 +90,13 @@ void RequestManager::UserPoolInfo::execute( error_authenticate: oss.str(authenticate_error(method_name)); goto error_common; + +error_authorize: + oss.str(authorization_error(method_name, "INFO", "USER", uid, -1)); + goto error_common; error_dumping: - oss.str(get_error(method_name, "IMAGE", -1)); + oss.str(get_error(method_name, "USER", -1)); goto error_common; error_common: diff --git a/src/rm/RequestManagerVirtualNetworkInfo.cc b/src/rm/RequestManagerVirtualNetworkInfo.cc index 0ce88949e6..664cf4fdc4 100644 --- a/src/rm/RequestManagerVirtualNetworkInfo.cc +++ b/src/rm/RequestManagerVirtualNetworkInfo.cc @@ -63,23 +63,6 @@ void RequestManager::VirtualNetworkInfo::execute( goto error_vn_get; } - //Authorize the operation - if ( rc != 0 ) // rc == 0 means oneadmin - { - AuthRequest ar(rc); - - ar.add_auth(AuthRequest::NET, - nid, - AuthRequest::USE, - 0, - vn->isPublic()); - - if (UserPool::authorize(ar) == -1) - { - goto error_authorize; - } - } - oss << *vn; vn->unlock(); @@ -104,11 +87,6 @@ error_vn_get: oss.str(get_error(method_name, "NET", nid)); goto error_common; -error_authorize: - vn->unlock(); - oss.str(authorization_error(method_name, "USE", "NET", rc, nid)); - goto error_common; - error_common: arrayData.push_back(xmlrpc_c::value_boolean(false)); // FAILURE arrayData.push_back(xmlrpc_c::value_string(oss.str())); diff --git a/src/rm/RequestManagerVirtualNetworkPoolInfo.cc b/src/rm/RequestManagerVirtualNetworkPoolInfo.cc index 216d3d82f5..ba36bffaa5 100755 --- a/src/rm/RequestManagerVirtualNetworkPoolInfo.cc +++ b/src/rm/RequestManagerVirtualNetworkPoolInfo.cc @@ -63,6 +63,8 @@ void RequestManager::VirtualNetworkPoolInfo::execute( * -1 :: User's VMs * >=0 :: UID User's VMs **/ + + // TODO define authorization (bug #278) if (filter_flag == -1) { User::split_secret(session,username,password); diff --git a/src/rm/RequestManagerVirtualNetworkPublish.cc b/src/rm/RequestManagerVirtualNetworkPublish.cc index 6d6874f52b..4ec9c3d414 100644 --- a/src/rm/RequestManagerVirtualNetworkPublish.cc +++ b/src/rm/RequestManagerVirtualNetworkPublish.cc @@ -52,15 +52,13 @@ void RequestManager::VirtualNetworkPublish::execute( publish_flag = xmlrpc_c::value_boolean(paramList.getBoolean(2)); // First, we need to authenticate the user - rc = VirtualNetworkPublish::upool->authenticate(session); + uid = VirtualNetworkPublish::upool->authenticate(session); - if ( rc == -1 ) + if ( uid == -1 ) { goto error_authenticate; } - uid = rc; - // Get virtual network from the VirtualNetworkPool vn = VirtualNetworkPublish::vnpool->get(nid,true);