From 261461ffb7e6b033c66592786769f0ec9ce4f779 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 16 Apr 2012 15:06:06 +0200 Subject: [PATCH 1/2] Bug #834: When a group is deleted, ACL rules that match '__ __/@gid __' are cleaned --- include/AclManager.h | 10 ++++++++++ src/acl/AclManager.cc | 43 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 51 insertions(+), 2 deletions(-) diff --git a/include/AclManager.h b/include/AclManager.h index 8887e4c74d..b8feceeb6e 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -220,6 +220,16 @@ private: */ void del_user_matching_rules(long long user_req); + /** + * Deletes all rules that match the resource mask + * + * @param resource_req 64 bit request, ob. type and group id + * @param resource_mask Mask with ob. type and group flags + */ + void del_resource_matching_rules( + long long resource_req, + long long resource_mask); + // ---------------------------------------- // Mutex synchronization // ---------------------------------------- diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 0c9f9c6b59..174282b004 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -549,6 +549,8 @@ void AclManager::del_uid_rules(int uid) { long long user_req = AclRule::INDIVIDUAL_ID | uid; + // Delete rules that match + // #uid __/__ __ del_user_matching_rules(user_req); } @@ -557,9 +559,16 @@ void AclManager::del_uid_rules(int uid) void AclManager::del_gid_rules(int gid) { - long long user_req = AclRule::GROUP_ID | gid; + long long request = AclRule::GROUP_ID | gid; + long long resource_gid_mask = AclRule::GROUP_ID | + 0x00000000FFFFFFFFLL; - del_user_matching_rules(user_req); + // Delete rules that match + // @gid __/__ __ + del_user_matching_rules(request); + + // __ __/@gid __ + del_resource_matching_rules(request, resource_gid_mask); } /* -------------------------------------------------------------------------- */ @@ -595,6 +604,36 @@ void AclManager::del_user_matching_rules(long long user_req) /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +void AclManager::del_resource_matching_rules(long long resource_req, + long long resource_mask) +{ + multimap::iterator it; + + vector oids; + vector::iterator oid_it; + string error_str; + + lock(); + + for ( it = acl_rules.begin(); it != acl_rules.end(); it++ ) + { + if ( ( it->second->resource & resource_mask ) == resource_req ) + { + oids.push_back(it->second->oid); + } + } + + unlock(); + + for ( oid_it = oids.begin() ; oid_it < oids.end(); oid_it++ ) + { + del_rule(*oid_it, error_str); + } +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + void AclManager::reverse_search(int uid, int gid, PoolObjectSQL::ObjectType obj_type, From f747332367840d6d9dab7eb7ccfe9ed84424c67e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn?= Date: Mon, 16 Apr 2012 16:24:42 +0200 Subject: [PATCH 2/2] Bug #834: When any object type is deleted, its ACL rules are also deleted --- include/AclManager.h | 8 ++++++++ include/RequestManagerDelete.h | 11 +++-------- src/acl/AclManager.cc | 17 +++++++++++++++++ src/rm/RequestManagerDelete.cc | 2 ++ 4 files changed, 30 insertions(+), 8 deletions(-) diff --git a/include/AclManager.h b/include/AclManager.h index b8feceeb6e..1107b7917c 100644 --- a/include/AclManager.h +++ b/include/AclManager.h @@ -107,6 +107,14 @@ public: */ void del_gid_rules(int gid); + /** + * Deletes all rules that apply to this resource + * + * @param oid Id of the deleted object + * @param obj_type Object type + */ + void del_resource_rules(int oid, PoolObjectSQL::ObjectType obj_type); + /** * Searches what resources of type obj_type the ACL rules set allows * the given user to perform the operation. diff --git a/include/RequestManagerDelete.h b/include/RequestManagerDelete.h index 447b8e4027..f00b92076d 100644 --- a/include/RequestManagerDelete.h +++ b/include/RequestManagerDelete.h @@ -38,6 +38,7 @@ protected: Nebula& nd = Nebula::instance(); clpool = nd.get_clpool(); + aclm = nd.get_aclm(); }; ~RequestManagerDelete(){}; @@ -64,8 +65,9 @@ protected: return -1; }; -private: +protected: ClusterPool * clpool; + AclManager * aclm; }; @@ -180,7 +182,6 @@ public: { Nebula& nd = Nebula::instance(); pool = nd.get_gpool(); - aclm = nd.get_aclm(); auth_object = PoolObjectSQL::GROUP; auth_op = AuthRequest::ADMIN; @@ -190,10 +191,6 @@ public: /* -------------------------------------------------------------------- */ - AclManager * aclm; - - /* -------------------------------------------------------------------- */ - int drop(int oid, PoolObjectSQL * object, string& error_msg); }; @@ -209,7 +206,6 @@ public: Nebula& nd = Nebula::instance(); pool = nd.get_upool(); gpool = nd.get_gpool(); - aclm = nd.get_aclm(); auth_object = PoolObjectSQL::USER; auth_op = AuthRequest::ADMIN; @@ -220,7 +216,6 @@ public: /* -------------------------------------------------------------------- */ GroupPool * gpool; - AclManager * aclm; /* -------------------------------------------------------------------- */ diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index 174282b004..5075767fa0 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -574,6 +574,23 @@ void AclManager::del_gid_rules(int gid) /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ +void AclManager::del_resource_rules(int oid, PoolObjectSQL::ObjectType obj_type) +{ + long long request = obj_type | + AclRule::INDIVIDUAL_ID | + oid; + + long long mask = 0xFFFFFFFFFFFFFFFFLL; + + // Delete rules that are an exact match, i.e. for oid=7 and obj_type=IMAGE, + // this rule applies, but can't be deleted: + // __ IMAGE+TEMPLATE/#7 __ + del_resource_matching_rules(request, mask); +} + +/* -------------------------------------------------------------------------- */ +/* -------------------------------------------------------------------------- */ + void AclManager::del_user_matching_rules(long long user_req) { multimap::iterator it; diff --git a/src/rm/RequestManagerDelete.cc b/src/rm/RequestManagerDelete.cc index 4a0f027127..f2d74115e2 100644 --- a/src/rm/RequestManagerDelete.cc +++ b/src/rm/RequestManagerDelete.cc @@ -96,6 +96,8 @@ void RequestManagerDelete::request_execute(xmlrpc_c::paramList const& paramList, return; } + aclm->del_resource_rules(oid, auth_object); + success_response(oid, att); return;