Feature #3167: Make the restricted attributes apply only to reservations

include/RequestManagerAllocate.h

@@ -180,10 +180,6 @@ public:
                       int cluster_id,
                       const string& cluster_name);
 
-    bool allocate_authorization(Template *          obj_template,
-                                RequestAttributes&  att,
-                                PoolObjectAuth *    cluster_perms);
-
     int get_cluster_id(xmlrpc_c::paramList const&  paramList)
     {
         return xmlrpc_c::value_int(paramList.getInt(2));

include/VirtualNetwork.h

@@ -304,6 +304,12 @@ public:
     int reserve_addr_by_mac(VirtualNetwork *rvnet, unsigned int rsize,
         unsigned int ar_id, const string& mac, string& error_str);
 
+    /**
+     * Returns true if this VNET is a reservation
+     * @return true if this VNET is a reservation
+     */
+    bool is_reservation() const;
+
     // *************************************************************************
     // Formatting & Helper functions
     // *************************************************************************

share/etc/oned.conf

@@ -755,6 +755,11 @@ VM_RESTRICTED_ATTR = "DISK/WRITE_IOPS_SEC"
 
 IMAGE_RESTRICTED_ATTR = "SOURCE"
 
+#*******************************************************************************
+# The following restricted attributes only apply to VNets that are a reservation.
+# Normal VNets do not have restricted attributes.
+#*******************************************************************************
+
 VNET_RESTRICTED_ATTR = "PHYDEV"
 VNET_RESTRICTED_ATTR = "VLAN_ID"
 VNET_RESTRICTED_ATTR = "VLAN"

src/rm/RequestManagerAllocate.cc

@@ -125,45 +125,6 @@ bool VirtualMachineAllocate::allocate_authorization(
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */
 
-bool VirtualNetworkAllocate::allocate_authorization(
-        Template *          tmpl,
-        RequestAttributes&  att,
-        PoolObjectAuth *    cluster_perms)
-{
-    string aname;
-
-    VirtualNetworkTemplate * vn_tmpl = static_cast<VirtualNetworkTemplate *>(tmpl);
-
-    bool auth = RequestManagerAllocate::allocate_authorization(
-                                                vn_tmpl, att, cluster_perms);
-
-    if ( auth )
-    {
-        // ------------ Check template for restricted attributes  --------------
-
-        if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
-        {
-            if (vn_tmpl->check(aname))
-            {
-                ostringstream oss;
-
-                oss << "Template includes a restricted attribute " << aname;
-
-                failure_response(AUTHORIZATION,
-                        authorization_error(oss.str(), att),
-                        att);
-
-                return false;
-            }
-        }
-    }
-
-    return auth;
-}
-
-/* -------------------------------------------------------------------------- */
-/* -------------------------------------------------------------------------- */
-
 void RequestManagerAllocate::request_execute(xmlrpc_c::paramList const& params,
                                              RequestAttributes& att)
 {

src/vnm/VirtualNetwork.cc

@@ -245,7 +245,7 @@ int VirtualNetwork::replace_template(
         return -1;
     }
 
-    if (keep_restricted)
+    if (keep_restricted && is_reservation())
     {
         new_tmpl->remove_restricted();
 
@@ -686,6 +686,8 @@ int VirtualNetwork::update_ar(
         return -1;
     }
 
+    keep_restricted = keep_restricted && is_reservation();
+
     return ar_pool.update_ar(tmp_ars, keep_restricted, error_msg);
 }
 
@@ -989,3 +991,8 @@ int VirtualNetwork::reserve_addr_by_mac(VirtualNetwork *rvnet,
 
     return 0;
 }
+
+bool VirtualNetwork::is_reservation() const
+{
+    return parent_vid != -1;
+}