diff --git a/include/RequestManagerGroup.h b/include/RequestManagerGroup.h index f4e8eb752e..814595d358 100644 --- a/include/RequestManagerGroup.h +++ b/include/RequestManagerGroup.h @@ -104,9 +104,6 @@ protected: virtual int edit_resource_provider( Group* group, int zone_id, int cluster_id, string& error_msg) = 0; - - virtual int edit_acl_rules( - int group_id, int zone_id, int cluster_id, string& error_msg) = 0; }; /* ------------------------------------------------------------------------- */ @@ -125,9 +122,6 @@ public: int edit_resource_provider( Group* group, int zone_id, int cluster_id, string& error_msg); - - int edit_acl_rules( - int group_id, int zone_id, int cluster_id, string& error_msg); }; /* ------------------------------------------------------------------------- */ @@ -146,9 +140,6 @@ public: int edit_resource_provider( Group* group, int zone_id, int cluster_id, string& error_msg); - - int edit_acl_rules( - int group_id, int zone_id, int cluster_id, string& error_msg); }; /* -------------------------------------------------------------------------- */ diff --git a/src/acl/AclManager.cc b/src/acl/AclManager.cc index fd408d29d8..fa525a922f 100644 --- a/src/acl/AclManager.cc +++ b/src/acl/AclManager.cc @@ -96,17 +96,7 @@ AclManager::AclManager( zone_id, error_str); - // Users in USERS can deploy VMs in any HOST - // @1 HOST/* MANAGE # - add_rule(AclRule::GROUP_ID | - 1, - AclRule::ALL_ID | - PoolObjectSQL::HOST, - AuthRequest::MANAGE, - AclRule::INDIVIDUAL_ID | - zone_id, - error_str); - + // * DOCUMENT/* CREATE # add_rule(AclRule::ALL_ID, AclRule::ALL_ID | PoolObjectSQL::DOCUMENT, @@ -115,7 +105,7 @@ AclManager::AclManager( zone_id, error_str); - // @ ZONE/# USE * + // * ZONE/* USE * add_rule(AclRule::ALL_ID, AclRule::ALL_ID | PoolObjectSQL::ZONE, diff --git a/src/group/Group.cc b/src/group/Group.cc index 3f0c31e1f3..7af368375e 100644 --- a/src/group/Group.cc +++ b/src/group/Group.cc @@ -317,6 +317,11 @@ int Group::from_xml(const string& xml) int Group::add_resource_provider(int zone_id, int cluster_id, string& error_msg) { + AclManager* aclm = Nebula::instance().get_aclm(); + + int rc = 0; + long long mask_prefix; + pair >::iterator,bool> ret; ret = providers.insert(pair(zone_id, cluster_id)); @@ -327,6 +332,51 @@ int Group::add_resource_provider(int zone_id, int cluster_id, string& error_msg) return -1; } + if (cluster_id == ClusterPool::ALL_RESOURCES) + { + mask_prefix = AclRule::ALL_ID; + } + else + { + mask_prefix = AclRule::CLUSTER_ID | cluster_id; + } + + // @ HOST/% MANAGE # + rc += aclm->add_rule( + AclRule::GROUP_ID | + oid, + + mask_prefix | + PoolObjectSQL::HOST, + + AuthRequest::MANAGE, + + AclRule::INDIVIDUAL_ID | + zone_id, + + error_msg); + + // @ DATASTORE+NET/% USE # + rc += aclm->add_rule( + AclRule::GROUP_ID | + oid, + + mask_prefix | + PoolObjectSQL::DATASTORE | + PoolObjectSQL::NET, + + AuthRequest::USE, + + AclRule::INDIVIDUAL_ID | + zone_id, + + error_msg); + + if (rc != 0) + { + return -1; + } + return 0; } @@ -335,11 +385,63 @@ int Group::add_resource_provider(int zone_id, int cluster_id, string& error_msg) int Group::del_resource_provider(int zone_id, int cluster_id, string& error_msg) { + AclManager* aclm = Nebula::instance().get_aclm(); + + int rc = 0; + + long long mask_prefix; + if( providers.erase(pair(zone_id, cluster_id)) != 1 ) { error_msg = "Resource provider is not assigned to this group"; return -1; } + if (cluster_id == ClusterPool::ALL_RESOURCES) + { + mask_prefix = AclRule::ALL_ID; + } + else + { + mask_prefix = AclRule::CLUSTER_ID | cluster_id; + } + + // @ HOST/% MANAGE # + rc += aclm->del_rule( + AclRule::GROUP_ID | + oid, + + mask_prefix | + PoolObjectSQL::HOST, + + AuthRequest::MANAGE, + + AclRule::INDIVIDUAL_ID | + zone_id, + + error_msg); + + // @ DATASTORE+NET/% USE # + rc += aclm->del_rule( + AclRule::GROUP_ID | + oid, + + mask_prefix | + PoolObjectSQL::DATASTORE | + PoolObjectSQL::NET, + + AuthRequest::USE, + + AclRule::INDIVIDUAL_ID | + zone_id, + + error_msg); + + if (rc != 0) + { + return -1; + } + return 0; } + diff --git a/src/group/GroupPool.cc b/src/group/GroupPool.cc index 2340fe0433..829d7c8d60 100644 --- a/src/group/GroupPool.cc +++ b/src/group/GroupPool.cc @@ -77,6 +77,12 @@ GroupPool::GroupPool(SqlDB * db, goto error_groups; } + group = get(rc, true); + + group->add_resource_provider(Nebula::instance().get_zone_id(), ClusterPool::ALL_RESOURCES, error_str); + + group->unlock(); + set_update_lastOID(99); } diff --git a/src/nebula/Nebula.cc b/src/nebula/Nebula.cc index da1eb823d2..203970504c 100644 --- a/src/nebula/Nebula.cc +++ b/src/nebula/Nebula.cc @@ -377,6 +377,59 @@ void Nebula::start(bool bootstrap_only) return; } + // ----------------------------------------------------------- + // Close stds, we no longer need them + // ----------------------------------------------------------- + + fd = open("/dev/null", O_RDWR); + + dup2(fd,0); + dup2(fd,1); + dup2(fd,2); + + close(fd); + + fcntl(0,F_SETFD,0); // Keep them open across exec funcs + fcntl(1,F_SETFD,0); + fcntl(2,F_SETFD,0); + + // ----------------------------------------------------------- + // Block all signals before creating any Nebula thread + // ----------------------------------------------------------- + + sigfillset(&mask); + + pthread_sigmask(SIG_BLOCK, &mask, NULL); + + // ----------------------------------------------------------- + //Managers + // ----------------------------------------------------------- + + MadManager::mad_manager_system_init(); + + time_t timer_period; + time_t monitor_period; + + nebula_configuration->get("MANAGER_TIMER", timer_period); + nebula_configuration->get("MONITORING_INTERVAL", monitor_period); + + // ---- ACL Manager ---- + try + { + aclm = new AclManager(db, zone_id, is_federation_slave(), timer_period); + } + catch (bad_alloc&) + { + throw; + } + + rc = aclm->start(); + + if ( rc != 0 ) + { + throw runtime_error("Could not start the ACL Manager"); + } + // ----------------------------------------------------------- // Pools // ----------------------------------------------------------- @@ -487,41 +540,6 @@ void Nebula::start(bool bootstrap_only) throw; } - // ----------------------------------------------------------- - // Close stds, we no longer need them - // ----------------------------------------------------------- - - fd = open("/dev/null", O_RDWR); - - dup2(fd,0); - dup2(fd,1); - dup2(fd,2); - - close(fd); - - fcntl(0,F_SETFD,0); // Keep them open across exec funcs - fcntl(1,F_SETFD,0); - fcntl(2,F_SETFD,0); - - // ----------------------------------------------------------- - // Block all signals before creating any Nebula thread - // ----------------------------------------------------------- - - sigfillset(&mask); - - pthread_sigmask(SIG_BLOCK, &mask, NULL); - - // ----------------------------------------------------------- - //Managers - // ----------------------------------------------------------- - - MadManager::mad_manager_system_init(); - - time_t timer_period; - time_t monitor_period; - - nebula_configuration->get("MANAGER_TIMER", timer_period); - nebula_configuration->get("MONITORING_INTERVAL", monitor_period); // ---- Virtual Machine Manager ---- try @@ -698,23 +716,6 @@ void Nebula::start(bool bootstrap_only) } } - // ---- ACL Manager ---- - try - { - aclm = new AclManager(db, zone_id, is_federation_slave(), timer_period); - } - catch (bad_alloc&) - { - throw; - } - - rc = aclm->start(); - - if ( rc != 0 ) - { - throw runtime_error("Could not start the ACL Manager"); - } - // ---- Image Manager ---- try { diff --git a/src/rm/RequestManagerGroup.cc b/src/rm/RequestManagerGroup.cc index 0dc58dea44..985caf6382 100644 --- a/src/rm/RequestManagerGroup.cc +++ b/src/rm/RequestManagerGroup.cc @@ -197,8 +197,6 @@ void GroupEditProvider::request_execute( return; } - edit_acl_rules(group_id, zone_id, cluster_id, error_str); - success_response(cluster_id, att); } @@ -214,124 +212,8 @@ int GroupAddProvider::edit_resource_provider( /* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */ -int GroupAddProvider::edit_acl_rules( - int group_id, int zone_id, int cluster_id, string& error_msg) -{ - int rc = 0; - - long long mask_prefix; - - if (cluster_id == ClusterPool::ALL_RESOURCES) - { - mask_prefix = AclRule::ALL_ID; - } - else - { - mask_prefix = AclRule::CLUSTER_ID | cluster_id; - } - - // @ HOST/% MANAGE # - rc += aclm->add_rule( - AclRule::GROUP_ID | - group_id, - - mask_prefix | - PoolObjectSQL::HOST, - - AuthRequest::MANAGE, - - AclRule::INDIVIDUAL_ID | - zone_id, - - error_msg); - - // @ DATASTORE+NET/% USE # - rc += aclm->add_rule( - AclRule::GROUP_ID | - group_id, - - mask_prefix | - PoolObjectSQL::DATASTORE | - PoolObjectSQL::NET, - - AuthRequest::USE, - - AclRule::INDIVIDUAL_ID | - zone_id, - - error_msg); - - if (rc != 0) - { - return -1; - } - - return 0; -} - -/* -------------------------------------------------------------------------- */ -/* -------------------------------------------------------------------------- */ - int GroupDelProvider::edit_resource_provider( Group* group, int zone_id, int cluster_id, string& error_msg) { return group->del_resource_provider(zone_id, cluster_id, error_msg); } - -/* -------------------------------------------------------------------------- */ -/* -------------------------------------------------------------------------- */ - -int GroupDelProvider::edit_acl_rules( - int group_id, int zone_id, int cluster_id, string& error_msg) -{ - int rc = 0; - - long long mask_prefix; - - if (cluster_id == ClusterPool::ALL_RESOURCES) - { - mask_prefix = AclRule::ALL_ID; - } - else - { - mask_prefix = AclRule::CLUSTER_ID | cluster_id; - } - - // @ HOST/% MANAGE # - rc += aclm->del_rule( - AclRule::GROUP_ID | - group_id, - - mask_prefix | - PoolObjectSQL::HOST, - - AuthRequest::MANAGE, - - AclRule::INDIVIDUAL_ID | - zone_id, - - error_msg); - - // @ DATASTORE+NET/% USE # - rc += aclm->del_rule( - AclRule::GROUP_ID | - group_id, - - mask_prefix | - PoolObjectSQL::DATASTORE | - PoolObjectSQL::NET, - - AuthRequest::USE, - - AclRule::INDIVIDUAL_ID | - zone_id, - - error_msg); - - if (rc != 0) - { - return -1; - } - - return 0; -}