shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-02-22 17:57:46 +03:00
Code Releases Wiki Activity

Feature #1565: Add new ACL resource ID bit, '%', for clusters. The reserve lookup is pending

Browse Source
This commit is contained in:
Carlos Martín 2013-01-16 18:27:36 +01:00
parent 3bfae38f5a
commit 1b6e38dac1
6 changed files with 72 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
include/AclManager.h
View File

@ -179,10 +179,12 @@ private:
* @param user_req user/group id and flags
* @param resource_oid_req 64 bit request, ob. type and individual oid
* @param resource_gid_req 64 bit request, ob. type and group id
* @param resource_cid_req 64 bit request, ob. type and cluster id
* @param resource_all_req 64 bit request, ob. type and all flag
* @param rights_req Requested rights
* @param individual_obj_type Mask with ob. type and individual flags
* @param group_obj_type Mask with ob. type and group flags
* @param cluster_obj_type Mask with ob. type and cluster flags
* @param rules ACL rules to match
*
* @return true if any rule grants permission
@ -191,10 +193,12 @@ private:
long long user_req,
long long resource_oid_req,
long long resource_gid_req,
long long resource_cid_req,
long long resource_all_req,
long long rights_req,
long long individual_obj_type,
long long group_obj_type,
long long cluster_obj_type,
multimap<long long, AclRule*> &rules);
/**
@ -204,10 +208,12 @@ private:
* @param user_req user/group id and flags
* @param resource_oid_req 64 bit request, ob. type and individual oid
* @param resource_gid_req 64 bit request, ob. type and group id
* @param resource_cid_req 64 bit request, ob. type and cluster id
* @param resource_all_req 64 bit request, ob. type and all flag
* @param rights_req Requested rights
* @param individual_obj_type Mask with ob. type and individual flags
* @param group_obj_type Mask with ob. type and group flags
* @param cluster_obj_type Mask with ob. type and cluster flags
* @param tmp_rules Temporary map group of ACL rules
*
* @return true if any rule grants permission
@ -216,10 +222,12 @@ private:
long long user_req,
long long resource_oid_req,
long long resource_gid_req,
long long resource_cid_req,
long long resource_all_req,
long long rights_req,
long long individual_obj_type,
long long group_obj_type,
long long cluster_obj_type,
multimap<long long, AclRule*> &tmp_rules);
/**

2
include/AclRule.h
View File

@ -40,6 +40,8 @@ public:
static const long long GROUP_ID;
static const long long ALL_ID;
static const long long CLUSTER_ID;
// ------------------------------------------------------------------------
/**

2
include/PoolObjectAuth.h
View File

@ -34,6 +34,7 @@ public:
oid(-1),
uid(-1),
gid(-1),
cid(-1),
owner_u(1),
owner_m(1),
owner_a(0),
@ -60,6 +61,7 @@ public:
int oid;
int uid;
int gid;
int cid;
int owner_u;
int owner_m;

38
src/acl/AclManager.cc
View File

@ -168,6 +168,19 @@ const bool AclManager::authorize(
resource_gid_req = AclRule::NONE_ID;
}
long long resource_cid_req;
if ( obj_perms.cid >= 0 )
{
resource_cid_req = obj_perms.obj_type |
AclRule::CLUSTER_ID |
obj_perms.cid;
}
else
{
resource_cid_req = AclRule::NONE_ID;
}
long long resource_all_req = obj_perms.obj_type | AclRule::ALL_ID;
long long rights_req = op;
@ -179,6 +192,10 @@ const bool AclManager::authorize(
AclRule::GROUP_ID |
0x00000000FFFFFFFFLL;
long long resource_cid_mask = obj_perms.obj_type |
AclRule::CLUSTER_ID |
0x00000000FFFFFFFFLL;
// Create a temporal rule, to log the request
long long log_resource;
@ -190,6 +207,10 @@ const bool AclManager::authorize(
{
log_resource = resource_gid_req;
}
else if ( obj_perms.cid >= 0 )
{
log_resource = resource_cid_req;
}
else
{
log_resource = resource_all_req;
@ -226,10 +247,12 @@ const bool AclManager::authorize(
auth = match_rules_wrapper(user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
resource_oid_mask,
resource_gid_mask,
resource_cid_mask,
tmp_rules);
if ( auth == true )
{
@ -244,10 +267,12 @@ const bool AclManager::authorize(
auth = match_rules_wrapper(user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
resource_oid_mask,
resource_gid_mask,
resource_cid_mask,
tmp_rules);
if ( auth == true )
{
@ -262,10 +287,12 @@ const bool AclManager::authorize(
auth = match_rules_wrapper(user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
resource_oid_mask,
resource_gid_mask,
resource_cid_mask,
tmp_rules);
if ( auth == true )
{
@ -285,10 +312,12 @@ bool AclManager::match_rules_wrapper(
long long user_req,
long long resource_oid_req,
long long resource_gid_req,
long long resource_cid_req,
long long resource_all_req,
long long rights_req,
long long individual_obj_type,
long long group_obj_type,
long long cluster_obj_type,
multimap<long long, AclRule*> &tmp_rules)
{
bool auth = false;
@ -298,10 +327,12 @@ bool AclManager::match_rules_wrapper(
user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
individual_obj_type,
group_obj_type,
cluster_obj_type,
tmp_rules);
if ( auth == true )
@ -316,10 +347,12 @@ bool AclManager::match_rules_wrapper(
user_req,
resource_oid_req,
resource_gid_req,
resource_cid_req,
resource_all_req,
rights_req,
individual_obj_type,
group_obj_type,
cluster_obj_type,
acl_rules);
unlock();
@ -334,10 +367,12 @@ bool AclManager::match_rules(
long long user_req,
long long resource_oid_req,
long long resource_gid_req,
long long resource_cid_req,
long long resource_all_req,
long long rights_req,
long long resource_oid_mask,
long long resource_gid_mask,
long long resource_cid_mask,
multimap<long long, AclRule*> &rules)
{
@ -370,6 +405,9 @@ bool AclManager::match_rules(
||
// Or rule's object type and individual object ID match
( ( it->second->resource & resource_oid_mask ) == resource_oid_req )
||
// Or rule's object type and cluster object ID match
( ( it->second->resource & resource_cid_mask ) == resource_cid_req )
);
if ( auth == true )

40
src/acl/AclRule.cc
View File

@ -24,6 +24,7 @@
const long long AclRule::INDIVIDUAL_ID = 0x0000000100000000LL;
const long long AclRule::GROUP_ID = 0x0000000200000000LL;
const long long AclRule::ALL_ID = 0x0000000400000000LL;
const long long AclRule::CLUSTER_ID = 0x0000000800000000LL;
const long long AclRule::NONE_ID = 0x1000000000000000LL;
@ -122,7 +123,11 @@ bool AclRule::malformed(string& error_str) const
// Check resource
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & GROUP_ID) != 0 )
if ( ( (resource & INDIVIDUAL_ID) != 0 && (resource & 0xF00000000LL) != INDIVIDUAL_ID ) ||
( (resource & GROUP_ID) != 0 && (resource & 0xF00000000LL) != GROUP_ID ) ||
( (resource & CLUSTER_ID) != 0 && (resource & 0xF00000000LL) != CLUSTER_ID ) ||
( (resource & ALL_ID) != 0 && (resource & 0xF00000000LL) != ALL_ID )
)
{
if ( error )
{
@ -130,10 +135,11 @@ bool AclRule::malformed(string& error_str) const
}
error = true;
oss << "[resource] INDIVIDUAL (#) and GROUP (@) bits are exclusive";
oss << "[resource] INDIVIDUAL (#), GROUP (@), CLUSTER (%) "
<< "and ALL (*) bits are exclusive";
}
if ( (resource & INDIVIDUAL_ID) != 0 && (resource & ALL_ID) != 0 )
if ( (resource & 0xF00000000LL) == 0 )
{
if ( error )
{
@ -141,29 +147,7 @@ bool AclRule::malformed(string& error_str) const
}
error = true;
oss << "[resource] INDIVIDUAL (#) and ALL (*) bits are exclusive";
}
if ( (resource & GROUP_ID) != 0 && (resource & ALL_ID) != 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] GROUP (@) and ALL (*) bits are exclusive";
}
if ( (resource & 0x700000000LL) == 0 )
{
if ( error )
{
oss << "; ";
}
error = true;
oss << "[resource] is missing one of the INDIVIDUAL, GROUP or ALL bits";
oss << "[resource] is missing one of the INDIVIDUAL, GROUP, CLUSTER or ALL bits";
}
if ( resource_id() < 0 )
@ -294,6 +278,10 @@ void AclRule::build_str()
{
oss << "#" << resource_id();
}
else if ( (resource & CLUSTER_ID) != 0 )
{
oss << "%" << resource_id();
}
else if ( (resource & ALL_ID) != 0 )
{
oss << "*";

8
src/pool/PoolObjectSQL.cc
View File

@ -17,6 +17,7 @@
#include "PoolObjectSQL.h"
#include "PoolObjectAuth.h"
#include "SSLTools.h"
#include "Clusterable.h"
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
@ -260,6 +261,13 @@ void PoolObjectSQL::get_permissions(PoolObjectAuth& auth)
auth.other_u = other_u;
auth.other_m = other_m;
auth.other_a = other_a;
Clusterable* cl = dynamic_cast<Clusterable*>(this);
if(cl != 0)
{
auth.cid = cl->get_cluster_id();
}
}
/* -------------------------------------------------------------------------- */