mirror of
https://github.com/OpenNebula/one.git
synced 2025-01-10 01:17:40 +03:00
Feature #1742: List resources from secondary groups
This commit is contained in:
Carlos Martín
parent
1b3a10b958
commit
0bc0f4a353
@ -128,7 +128,7 @@ public:
|
||||
* the given user to perform the operation.
|
||||
*
|
||||
* @param uid The user ID
|
||||
* @param gid Group ID of the user
|
||||
* @param user_groups Set of group IDs that the user is part of
|
||||
* @param obj_type The object over which the search will be performed
|
||||
* @param op The operation to be searched
|
||||
* @param all True if the user can perform the operation over any object
|
||||
@ -137,7 +137,7 @@ public:
|
||||
* @param cids Set of object cluster IDs over which the user can operate
|
||||
*/
|
||||
void reverse_search(int uid,
|
||||
int gid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType obj_type,
|
||||
AuthRequest::Operation op,
|
||||
bool& all,
|
||||
|
||||
@ -20,6 +20,7 @@
|
||||
#include <map>
|
||||
#include <string>
|
||||
#include <queue>
|
||||
#include <set>
|
||||
|
||||
#include "SqlDB.h"
|
||||
#include "PoolObjectSQL.h"
|
||||
@ -180,30 +181,31 @@ public:
|
||||
* Creates a filter for those objects (oids) or objects owned by a given
|
||||
* group that an user can access based on the ACL rules
|
||||
* @param uid the user id
|
||||
* @param gid the group id
|
||||
* @param user_groups Set of group IDs that the user is part of
|
||||
* @param auth_object object type
|
||||
* @param all returns if the user can access all objects
|
||||
* @param filter the resulting filter string
|
||||
*/
|
||||
static void acl_filter(int uid,
|
||||
int gid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType auth_object,
|
||||
bool& all,
|
||||
string& filter);
|
||||
|
||||
/**
|
||||
* Creates a filter for the objects owned by a given user/group
|
||||
* @param uid the user id
|
||||
* @param gid the group id
|
||||
* @param user_groups Set of group IDs that the user is part of
|
||||
* @param filter_flag query type (ALL, MINE, GROUP)
|
||||
* @param all user can access all objects
|
||||
* @param filter the resulting filter string
|
||||
*/
|
||||
static void usr_filter(int uid,
|
||||
int gid,
|
||||
int filter_flag,
|
||||
bool all,
|
||||
const string& acl_str,
|
||||
string& filter);
|
||||
static void usr_filter(int uid,
|
||||
const set<int>& user_groups,
|
||||
int filter_flag,
|
||||
bool all,
|
||||
const string& acl_str,
|
||||
string& filter);
|
||||
/**
|
||||
* Creates a filter for a given set of objects based on their id
|
||||
* @param start_id first id
|
||||
|
||||
@ -721,7 +721,7 @@ void AclManager::del_resource_matching_rules(long long resource_req,
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void AclManager::reverse_search(int uid,
|
||||
int gid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType obj_type,
|
||||
AuthRequest::Operation op,
|
||||
bool& all,
|
||||
@ -769,22 +769,30 @@ void AclManager::reverse_search(int uid,
|
||||
// Look for the rules that match
|
||||
// ---------------------------------------------------
|
||||
|
||||
long long user_reqs[] =
|
||||
vector<long long> user_reqs;
|
||||
vector<long long>::iterator reqs_it;
|
||||
|
||||
set<int>::iterator g_it;
|
||||
|
||||
// rules that apply to everyone
|
||||
user_reqs.push_back(AclRule::ALL_ID);
|
||||
|
||||
// rules that apply to the individual user id
|
||||
user_reqs.push_back(AclRule::INDIVIDUAL_ID | uid);
|
||||
|
||||
// rules that apply to each one of the user's groups
|
||||
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
|
||||
{
|
||||
AclRule::ALL_ID, // rules that apply to everyone
|
||||
AclRule::INDIVIDUAL_ID | uid, // rules that apply to the individual user id
|
||||
AclRule::GROUP_ID | gid // rules that apply to the user's groups
|
||||
};
|
||||
user_reqs.push_back(AclRule::GROUP_ID | *g_it);
|
||||
}
|
||||
|
||||
all = false;
|
||||
|
||||
for ( int i=0; i<3; i++ )
|
||||
for (reqs_it = user_reqs.begin(); reqs_it != user_reqs.end(); reqs_it++)
|
||||
{
|
||||
long long user_req = user_reqs[i];
|
||||
|
||||
lock();
|
||||
|
||||
index = acl_rules.equal_range( user_req );
|
||||
index = acl_rules.equal_range( *reqs_it );
|
||||
|
||||
for ( it = index.first; it != index.second; it++)
|
||||
{
|
||||
|
||||
@ -579,14 +579,14 @@ int PoolSQL::search(
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void PoolSQL::acl_filter(int uid,
|
||||
int gid,
|
||||
const set<int>& user_groups,
|
||||
PoolObjectSQL::ObjectType auth_object,
|
||||
bool& all,
|
||||
string& filter)
|
||||
{
|
||||
filter.clear();
|
||||
|
||||
if ( uid == 0 || gid == 0 )
|
||||
if ( uid == UserPool::ONEADMIN_ID || user_groups.count( GroupPool::ONEADMIN_ID ) == 1 )
|
||||
{
|
||||
all = true;
|
||||
return;
|
||||
@ -603,7 +603,7 @@ void PoolSQL::acl_filter(int uid,
|
||||
vector<int> cids;
|
||||
|
||||
aclm->reverse_search(uid,
|
||||
gid,
|
||||
user_groups,
|
||||
auth_object,
|
||||
AuthRequest::USE,
|
||||
all,
|
||||
@ -631,32 +631,43 @@ void PoolSQL::acl_filter(int uid,
|
||||
|
||||
/* -------------------------------------------------------------------------- */
|
||||
|
||||
void PoolSQL::usr_filter(int uid,
|
||||
int gid,
|
||||
int filter_flag,
|
||||
bool all,
|
||||
const string& acl_str,
|
||||
string& filter)
|
||||
void PoolSQL::usr_filter(int uid,
|
||||
const set<int>& user_groups,
|
||||
int filter_flag,
|
||||
bool all,
|
||||
const string& acl_str,
|
||||
string& filter)
|
||||
{
|
||||
ostringstream uid_filter;
|
||||
|
||||
set<int>::iterator g_it;
|
||||
|
||||
if ( filter_flag == RequestManagerPoolInfoFilter::MINE )
|
||||
{
|
||||
uid_filter << "uid = " << uid;
|
||||
}
|
||||
else if ( filter_flag == RequestManagerPoolInfoFilter::MINE_GROUP )
|
||||
{
|
||||
uid_filter << " uid = " << uid
|
||||
<< " OR ( gid = " << gid << " AND group_u = 1 )";
|
||||
uid_filter << " uid = " << uid;
|
||||
|
||||
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
|
||||
{
|
||||
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
|
||||
}
|
||||
}
|
||||
else if ( filter_flag == RequestManagerPoolInfoFilter::ALL )
|
||||
{
|
||||
if (!all)
|
||||
{
|
||||
uid_filter << " uid = " << uid
|
||||
<< " OR ( gid = " << gid << " AND group_u = 1 )"
|
||||
<< " OR other_u = 1"
|
||||
<< acl_str;
|
||||
<< " OR other_u = 1";
|
||||
|
||||
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
|
||||
{
|
||||
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
|
||||
}
|
||||
|
||||
uid_filter << acl_str;
|
||||
}
|
||||
}
|
||||
else
|
||||
@ -665,11 +676,14 @@ void PoolSQL::usr_filter(int uid,
|
||||
|
||||
if ( filter_flag != uid && !all )
|
||||
{
|
||||
uid_filter << " AND ("
|
||||
<< " ( gid = " << gid << " AND group_u = 1)"
|
||||
<< " OR other_u = 1"
|
||||
<< acl_str
|
||||
<< ")";
|
||||
uid_filter << " AND ( other_u = 1";
|
||||
|
||||
for (g_it = user_groups.begin(); g_it != user_groups.end(); g_it++)
|
||||
{
|
||||
uid_filter << " OR ( gid = " << *g_it << " AND group_u = 1 )";
|
||||
}
|
||||
|
||||
uid_filter << acl_str << ")";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -279,9 +279,9 @@ void RequestManagerPoolInfoFilter::where_filter(
|
||||
|
||||
ostringstream filter;
|
||||
|
||||
PoolSQL::acl_filter(att.uid, att.gid, auth_object, all, acl_str);
|
||||
PoolSQL::acl_filter(att.uid, att.group_ids, auth_object, all, acl_str);
|
||||
|
||||
PoolSQL::usr_filter(att.uid, att.gid, filter_flag, all, acl_str, uid_str);
|
||||
PoolSQL::usr_filter(att.uid, att.group_ids, filter_flag, all, acl_str, uid_str);
|
||||
|
||||
PoolSQL::oid_filter(start_id, end_id, oid_str);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user